How to prevent business email compromise (BEC) in 2026
The short answer
To prevent business email compromise, enforce DMARC at p=reject so receiving servers reject any email that fails authentication, then layer DNS monitoring, brand impersonation detection, payment-verification steps, and staff training on top. DMARC at enforcement stops attackers from sending email that appears to come from your exact domain, which is the foundation of most BEC. The other layers close the gaps that remain once exact-domain spoofing is off the table.
Quick protection guide
What you're stopping | The control that stops it | Red Sift suitable product |
Exact-domain spoofing | DMARC at p=reject (with SPF and DKIM) | Red Sift OnDMARC |
Lookalike domain impersonation | Lookalike detection and takedown | Red Sift Brand Trust |
Subdomain takeover, dangling DNS, parked domain abuse | Continuous DNS monitoring | DNS Guardian (via OnDMARC) |
Misconfigurations before attackers find them | AI-opitmized security fix | Red Sift Radar (via OnDMARC) |
What is business email compromise?
Business email compromise (BEC) is a cyberattack where criminals impersonate an executive, vendor, or trusted partner over email to trick an employee into transferring funds, changing payment details, or handing over sensitive data. Unlike malware-based attacks, BEC emails carry no malicious attachment or URL, so they don't trigger traditional security filters. They work by exploiting human psychology, trust, and urgency rather than a technical flaw.
In 2025, BEC accounted for $3.05 billion in reported losses, making it one of the costliest categories of cybercrime [1]. The reason it keeps paying off is simple economics. A single successful wire-transfer request nets an attacker real money for the price of a well-written email, and the people being targeted are doing exactly what their job asks them to do.
Why are BEC attacks are so dangerous?
Unlike traditional malware-based attacks, BEC schemes exploit human psychology rather than technical vulnerabilities. Attackers meticulously study organizational hierarchies, communication patterns, and business processes to craft convincing impersonation attempts that bypass conventional security controls.
BEC attacks are particularly dangerous because they bypasses the controls most companies rely on.
These attacks:
- Contain no malicious attachments or links, so they look legitimate and pass conventional filters
- Exploit trust by impersonating executives, vendors, or partners someone already knows
- Target high-value moments like wire transfers, invoice payments, and data requests
- Use social engineering, not technical indicators, which makes them hard to detect after the fact
BEC, email spoofing, and impersonation: how they connect
Email spoofing and email impersonation are the techniques. Business email compromise is the outcome they're used to achieve. Getting the terms straight matters, because the defense for each is different.
Email spoofing is forging the "From" address so a message appears to come from a domain the attacker doesn't own. When an attacker spoofs your exact domain (yourcompany.com), the email is indistinguishable from a real one unless you've published a DMARC policy that tells receivers to reject it.
Email impersonation is the broader category. It includes exact-domain spoofing, but also lookalike domains (yourc0mpany.com), display-name tricks, and compromised accounts. Stopping it takes more than one control.
Here's the practical split. DMARC at p=reject removes exact-domain spoofing entirely, because receiving servers reject anything that isn't authenticated to come from you. Lookalike impersonation needs brand monitoring that finds and takes down domains designed to resemble yours. Compromised-account attacks need multi-factor authentication and inbound filtering. A complete BEC defense covers all three, and most companies only cover one.
The current BEC threat landscape
The statistics paint a sobering picture of BEC's growing impact:
Financial impact
- BEC attacks cost an average of $4.89 million per incident, making them the second most expensive breach type, and accounted for 73% of all reported cyber incidents in 2024. [2]
- The average wire transfer request from a BEC attack was $24,586 as of early 2025
- Over the past three years, reported BEC losses reached almost $8.5 billion in the United States alone [3]
Attack frequency
- BEC attacks grew by 30% year-over-year as of March 2025 [2]
- BEC attacks make up more than 50% of all social engineering incidents
- Even small organizations (under 1,000 employees) face a 70% weekly probability of experiencing at least one BEC attempt
Evolving tactics
- Wire transfer BEC attacks increased by 24% compared to the previous quarter [4]
- Attackers increasingly using AI tools to craft more sophisticated and convincing fraudulent communications [1]
- Vendor Email Compromise (VEC) attacks rose 66% in the first half of 2024 [5]
The five types of BEC attacks
The FBI identifies five common forms of BEC. Knowing which ones target your teams tells you where to focus verification and training.
1. CEO fraud
Attackers impersonate a senior executive to request an urgent wire transfer or sensitive information. These attacks lean on authority and time pressure to push an employee past normal checks.
2. Account compromise
Criminals gain access to a real employee's email account and use it to request vendor payments or redirect funds. Because the email comes from a genuine account, it's harder to spot and often passes authentication.
3. False invoice schemes
Scammers pose as a supplier and submit a fake invoice or request a change to payment details. Accounts payable teams are the usual target, and the routine nature of vendor payments works in the attacker's favor.
4. Attorney impersonation
Attackers pretend to be a lawyer or legal representative, often targeting junior employees who are less likely to question the request. These tend to coincide with mergers, acquisitions, or other sensitive events.
5. Data theft
These attacks target HR and finance staff to obtain personal information about executives and employees, which then fuels future attacks or gets sold on.
How to defend against business email compromise
You defend against business email compromise with layers, starting at the source and working outward. No single control covers every form of impersonation, so a real defense combines email authentication, DNS hygiene, brand monitoring, payment process, and people.
Layer 1: Stop exact-domain spoofing with DMARC at enforcement
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the control that removes the foundation of most BEC. At a policy of p=reject, it tells receiving servers to reject any email that fails authentication, so attackers can't send mail that appears to come from your exact domain.
Get there in three moves. Publish SPF and DKIM and confirm they pass and align. Start DMARC at p=none to see who's sending on your behalf. Tighten to p=quarantine, then p=reject once your legitimate senders all authenticate cleanly. A policy of p=quarantine isn't enough on its own, because fraudulent mail still lands in spam folders where a recipient can find and act on it.
Red Sift OnDMARC automates the parts that stall most projects and gets organizations to full enforcement in 6 to 8 weeks. Manual DMARC projects regularly run six months or longer, and many never reach enforcement at all.
Layer 2: Stop lookalike impersonation with brand monitoring
Once your exact domain is locked down with DMARC, attackers move to lookalike domains that resemble yours. DMARC can't help here, because the attacker owns the lookalike domain. Red Sift Brand Trust finds newly registered lookalikes, scores their risk using signals like logo use and page content, and drives takedowns before they're used against your customers.
Layer 3: Close your DNS gaps
Attackers also exploit the parts of your DNS you've forgotten about. Three gaps matter most:
- Parked domains. Domains you own but don't actively use for email often have no DMARC record, so they can be spoofed freely. Publish a DMARC record at p=reject on every domain you own, active or not.
- Dangling DNS. A DNS record (often a CNAME) that points to a service you no longer control can be claimed by an attacker, who then sends authenticated email or hosts content on your subdomain.
- Subdomain takeover. The 2024 SubdoMailing campaign hijacked thousands of subdomains belonging to major brands by exploiting exactly these gaps, then sent phishing that passed SPF, DKIM, and DMARC because it came from legitimate infrastructure.
DNS Guardian, built into OnDMARC, monitors your DNS continuously for dormant subdomains, dangling CNAMEs, and takeover risk. For a deeper walkthrough of layered domain defense, see our guide to defending against domain impersonation.
Layer 4: Verify the money
Authentication stops the impersonation. Process stops the loss when an attacker gets through another way, like a compromised account. Require out-of-band verification (a phone call to a known number) for every payment change and wire transfer. Use dual-control approval above a set threshold. Build a clear escalation path so a suspicious request gets a second look without slowing the business to a crawl.
Layer 5: Train the people in the firing line
Finance, HR, and executive assistants are the most-targeted roles, so train them on the specific scenarios they'll see, not generic awareness slides. Run phishing simulations. Make it easy to report a suspicious email and make sure nobody gets punished for flagging one that turns out to be real.
How to check if your domain is being spoofed
To check if your domain is being spoofed, run a free DMARC check with Red Sift Investigate and review your DMARC aggregate reports for sending sources you don't recognize. The check takes about 30 seconds and shows whether your SPF, DKIM, and DMARC are set up and whether your policy is actually blocking unauthenticated mail.
DMARC aggregate reports are the real tell. Once you're collecting them, they list every source sending mail that claims to be from your domain. Sources you can't account for are either shadow IT you didn't know about or someone spoofing you. A monitoring tool turns those raw XML reports into a readable sender list so you can act on them. For a step-by-step approach, see our guide to identifying and preventing email spoofing.
How Red Sift OnDMARC stops BEC at the source
Red Sift OnDMARC is an automated DMARC application that helps organizations reach enforcement quickly and keep it there. It prevents BEC by removing the attacker's easiest path, which is sending mail from your real domain.
- Fast path to enforcement. OnDMARC gets customers to p=reject in 6 to 8 weeks by translating aggregate reports into a clear sender dashboard.
- Dynamic Services. Manage SPF, DKIM, DMARC, and MTA-STS from one interface, which removes configuration errors and solves the SPF 10-lookup limit without manual record surgery.
- DNS Guardian. Continuous DNS monitoring that catches subdomain takeover, dangling DNS, and SubdoMailing-style abuse before attackers can use them.
- Radar. AI-driven analysis that flags misconfigurations and gaps before they become an incident.
DMARC or a secure email gateway: which stops BEC?
This trips a lot of teams up, so it's worth being precise. DMARC and secure email gateways solve different halves of the problem.
DMARC (email authentication) | Secure email gateway (SEG) | |
What it protects | Your domain's outbound identity | Your inbound inbox |
Where it acts | At receiving servers worldwide | At your mail perimeter |
Stops exact-domain spoofing of you | Yes, at p=reject | No |
Stops lookalike domains | No (brand monitoring tool needed) | Partial (often struggles) |
Stops inbound malware and links | No | Yes |
Role in BEC | Removes the impersonation at source (protecting your brand and customers) | Filters what reaches your team in their inbox |
A gateway filters the bad mail arriving in your inbox. DMARC stops attackers from using your domain to hit everyone else, including your customers and partners, who never see your gateway. For BEC that impersonates your brand, DMARC at p=reject is the control that removes the attack at its source. The two work together, they don't replace each other.
BEC prevention by industry
Different sectors face different BEC pressure, so the emphasis shifts.
- Financial services are high-value targets and carry strict fraud-prevention obligations, so stricter verification on every transaction is the priority.
- Healthcare gets hit for both fraud and data theft, across sprawling networks of facilities and third-party vendors.
- Manufacturing is targeted through complex supplier networks and large invoice values, which makes supply-chain communication the weak point.
- Legal services hold confidential client information and move client funds, so protecting privileged communication matters as much as the money.
Measuring success: BEC prevention metrics
Track these to know your defense is working, not just installed.
Technical metrics
- DMARC policy enforcement rate (target: 100% of domains at p=reject)
- Authentication pass rate for legitimate senders
- Reduction in delivery of unauthenticated mail
Operational metrics
- BEC attempts detected and blocked
- Employee reporting rate for suspicious emails
- Time to verify and process legitimate payment requests
Business metrics
- Reduction in fraud losses
- Improvement in email deliverability (a side benefit of clean authentication)
- Time saved by automating authentication management
How BEC is evolving
BEC keeps changing, and the defense has to keep pace.
- AI-powered attacks. Criminals use text generators to write flawless impersonation and voice cloning to back it up on a phone call. Deepfake video is emerging in higher-value schemes.
- Multi-channel attacks. BEC is spreading beyond email into SMS, voice, and collaboration tools, so the impersonation defense has to extend with it.
- Supply-chain targeting. Vendor email compromise keeps climbing, with attackers exploiting partner relationships to bypass your direct defenses. Push your vendors toward DMARC too.
Your BEC prevention roadmap
Here's a sequence that gets you protected without boiling the ocean.
Week 1: see where you stand
- Run a free DMARC check with Investigate and document every source sending on your behalf
- Put out-of-band verification in place for wire transfers today, before anything technical
- Brief finance, HR, and executive assistants on the five BEC types
Months 1 to 2: lock down the domain
- Deploy OnDMARC and begin the move to enforcement
- Reach p=reject on your primary domain and publish DMARC on parked domains
- Stand up phishing simulations and a clear reporting path
Months 3 to 6: complete the picture
- Extend protection to all subdomains and turn on DNS monitoring
- Add lookalike detection with Brand Trust
- Add BIMI once you're at enforcement, which improves deliverability and brand recognition as a bonus
References
[1] FBI IC3 report. "FBI Internet Crime Report 2025." https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf
[2] Hoxhunt. "Business Email Compromise Statistics 2025 (+Prevention Guide)." https://hoxhunt.com/blog/business-email-compromise-statistics
[3] NACHA. "FBI's IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years." https://www.nacha.org/news/fbis-ic3-finds-almost-85-billion-lost-business-email-compromise-last-three-years
[4] Trans Union. "Rising Incidents of BEC and Wire Fraud: Tales from the Front Lines." https://www.transunion.com/blog/bec-wire-fraud-incidentsÂ
[5] Business Email Compromise Statistics https://hoxhunt.com/blog/business-email-compromise-statisticsÂ
Is your organizaion protected against Business Email Compromise?
Jack leads content, PR, GEO, and email security research at Red Sift.




