Business Email Compromise (BEC) is not your grandfather's email scam. These are not badly-worded messages full of typos from a foreign prince. They are meticulously researched attacks, carried out from legitimate, compromised email accounts, written in your exact voice, with accurate knowledge of your banking relationships, travel schedule, and pending transactions. The FBI considers them one of the most financially destructive cybercrime categories in the world.
“Unlike cruder scams that might ask for money in broken English, the note sounded just like him. An attachment with transfer instructions showed intimate knowledge of his accounts.”
— Wall Street Journal, Feb. 2020, reporting on a $450,000 BEC lossHow a BEC Attack Actually Works
BEC attacks have evolved far beyond simple spoofed email addresses. Modern attackers compromise real accounts, then operate silently inside them for weeks before making their move.
Account Compromise
Attackers gain access to a real email account — often through a phishing link or by testing passwords exposed in previous data breaches. Once inside, the victim has no idea.
Reconnaissance
The attacker reads through weeks or months of email threads, learning communication styles, vendor relationships, travel calendars, and pending financial transactions.
Impersonation
Using the real account (not a spoofed address), the attacker sends convincing wire transfer requests to finance staff, assistants, or vendors — in the executive's voice, with accurate context.
Cover Their Tracks
Email rules are created to silently delete any replies or bank confirmations, so the real account owner never sees what's happening. The fraud continues undetected for days.
Wire Transfer
The money lands in an overseas account — typically in Hong Kong or mainland China — where recovery is nearly impossible. The FBI estimates less than 2% of BEC losses are ever recovered.
Who Gets Targeted
The FBI is unequivocal: anyone with an email account and access to money is a potential target.
CEOs & Executives
Their authority is impersonated to authorize large transfers.
Finance & Accounting
Accounts payable staff receive fraudulent vendor payment instructions.
Real Estate Transactions
Closing funds are diverted by compromising agent or title company email.
HR & Payroll
Direct deposit details are changed before payday via fake employee emails.
Law Firms & Nonprofits
Trust accounts and wire-heavy operations make attractive targets.
Small Businesses
Smaller IT budgets and less security awareness make them easier marks.
The Three-Layer Defense That Stops BEC
No single tool stops BEC entirely — but combining these three layers creates a defense that breaks the attack chain at every stage.
Proofpoint Essentials
Email Security & Anti-Phishing
Proofpoint Essentials sits in front of your inbox and filters every inbound message against real-time threat intelligence from 3+ billion emails daily. It catches the phishing emails that attackers use to steal credentials in the first place — breaking the attack chain before an account is ever compromised.
- ✓Blocks credential-harvesting phishing links before delivery
- ✓Detects executive impersonation and display-name spoofing
- ✓Flags emails that mimic your internal domain
- ✓Provides full email archiving for forensic investigation
Okta
Multi-Factor Authentication & Identity
The single most effective technical control against BEC is multi-factor authentication. Even if an attacker obtains an employee's password through a data breach or phishing, Okta's MFA makes that credential useless — they can't complete the login without the second factor that only the real user controls.
- ✓Requires a second factor (push, TOTP, or hardware key) for every login
- ✓Blocks login attempts from unrecognized devices or locations
- ✓Provides a real-time audit trail of every authentication event
- ✓Single sign-on across Microsoft 365, Google Workspace, and hundreds of apps
Microsoft 365
Secure Cloud Email
For organizations running Microsoft 365, built-in security features provide an additional defense layer. Microsoft Defender for Office 365 adds AI-powered anti-phishing rules, Safe Links URL scanning, and anomalous login detection. Combined with Proofpoint and Okta, it creates a defense-in-depth email environment.
- ✓Advanced anti-phishing policies with AI-based impersonation detection
- ✓Safe Links rewrites and scans URLs at click time
- ✓Conditional Access blocks logins from untrusted networks or devices
- ✓Admin audit logs capture all mailbox permission changes
Once the Wire Is Sent, the Money Is Gone
Under decades-old banking law, wire transfers authorized by a customer — even one who was deceived — are generally not covered by consumer fraud protections. Courts have repeatedly sided with banks over victims. One law firm called Bank of America within one hour of a fraudulent wire request and still lost $500,000. The attacker in the WSJ story had already cleaned out the funds before anyone realized what had happened. Recovery requires law enforcement action across international borders, and the chances are slim. The only reliable strategy is prevention.
Frequently Asked Questions
Common questions from business owners and IT leaders who are evaluating their exposure to BEC attacks.
How do attackers get into a real email account in the first place?
Two main methods: phishing emails that trick users into entering their password on a fake login page, and credential stuffing — testing username/password combinations leaked in prior data breaches. Because many people reuse passwords across services, a breach at one site can unlock email accounts at another.
How is BEC different from a regular phishing email?
Traditional phishing is broadcast spam with low success rates. BEC is targeted and surgical. Attackers research the victim, compromise a real account, read actual email threads, and send requests that perfectly match the victim's writing style, relationships, and context. There is no generic "Nigerian prince" warning sign.
Can a bank reverse a fraudulent wire transfer?
Rarely. Consumer protection laws that cover unauthorized card charges generally do not apply to wire transfers — especially when the customer voluntarily authorized the transfer (even under false pretenses). If the money has already reached an overseas account, recovery odds are very low. The FBI estimates global BEC losses between 2016 and 2019 totaled $26 billion.
Will my business email provider (Microsoft or Google) protect me on its own?
Basic plans include spam filtering but are not designed to stop sophisticated BEC. A dedicated email security layer like Proofpoint Essentials is trained specifically on BEC patterns, impersonation tactics, and emerging threats at a scale that generic inbox providers cannot match.
What is the fastest thing we can do right now?
Enable multi-factor authentication on every email account, without exception. It is the single control that most directly breaks the BEC attack chain. If an attacker cannot log in to the account even with a stolen password, the reconnaissance and impersonation steps never happen.
Is Your Business Protected Against Email Account Takeover?
Iron Cove Solutions helps businesses deploy Proofpoint Essentials, Okta MFA, and Microsoft 365 security features as a layered defense against BEC. We will assess your current email environment and tell you exactly where you are exposed — at no cost.