In today’s modern world of technology and innovations for businesses, Email remains one of the most important tools in conducting business. Email is how business gets done around the world, regardless of organizational size or industry.

Which is why, Email is the most appealing target to cybercriminals. Email is the perfect target for Business Email Compromise (BEC).

Business Email Compromise is one of the fastest-growing cyber threats affecting organizations worldwide. In a BEC attack, cybercriminals impersonate trusted individuals such as executives, vendors, or partners in order to trick employees into transferring money or sharing confidential information.

In 2024, there were 34,621 REPORTED victims of fraud according to the Canadian Anti-fraud Centre (CAFC). With reported losses for spear-phishing, which is how BEC is categorized, reached over $67.5 million CAD in 2024. Canadian businesses and individuals face significant financial losses due to Business Email Compromise (BEC). According to the Canadian Anti-Fraud Centre, in the first half of 2025 (Jan-June), over $26.7 million CAD was reported lost to these scams.

Any cyber security incident or breach has negative consequences for the victim. As cyber security experts we see it all the time, just one click is all it takes. For many businesses, who do not have the protection and tools in place to help protect them or assist in recovery, this attack can be devastating. Far too often ransomware often gets most of the attention in the news. This is mainly because the attack surface is larger and the outcome is more profound – all the computers were locked, or all the data was held ransom. However, according to the FBI 2022 Internet Crime Report, Business Email Compromise contributes up to 100 times more in financial losses vs ransomware payments. The FBI Internet Crime Report 2023, stated that 25% of motivate attacks are BEC and BEC scams are averaging $50,000 in losses, resulting in $2.9 billion in losses in 2023. 

BEC attacks are here to stay. If you or your company, regardless of size use email for communication, you are at risk for BEC. If a business email compromise attack is successful, your business could lose hundreds of thousands of dollars, face widespread identity theft or accidentally leak confidential data like intellectual property or personal information. Protecting your business against BEC attacks is no longer a back burner item; it’s a necessity in any cyber defense. 

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company information. The culprit poses as a trusted figure, like a boss or vendor, then asks for a fake bill to be paid or for sensitive data they can use in another scam.

Year over year, BEC attacks continue to increase globally. According to Microsoft, 35 million business email compromise attempts were detected and investigated by Microsoft Threat Intelligence, Between April 2022 and April 2023, for an average of 156,000 daily attempts!

The Drop: Example of a BEC Scam Email

Subject: Urgent: Wire Transfer Needed Today

From: Michael Reynolds, CEO m.reynolds@company-ceo.com
To: Accounts Payable

Hi Sarah,

I’m heading into a confidential acquisition meeting and need your assistance immediately. We’re closing on a strategic opportunity and require a wire transfer of $248,750 to the account details below within the next 45 minutes.

Please handle this discreetly. I’m unavailable by phone due to the meeting, so just reply once completed.

Bank: Horizon Commercial Bank
Account Name: Silverline Holdings
Account Number: 784392019
Routing Number: 091000022

This is time-sensitive and critical to the deal.

Thank you,
Michael

We have all received an email like the one above, or something similar. Where someone is asking for urgent help, but something about the tone or language is not quite right. If so, you’re likely one of the hundreds of thousands of people and organizations targeted daily by BEC attacks.

Understanding Business Email Compromise (BEC)

The exploit is when the attackers obtain access to a business email account, and use that account, pretending to be its owner. This is usually done over a period of time, to build trust with employees, customers, and/or partners. Sooner or later, the attacker sends an email that is designed to trick the recipient into sending them money or other resources or to divulge confidential information. 

How Business Email Compromise Attacks Work

Most BEC attacks follow a similar pattern:

1. Email compromise or impersonation

Attackers gain access to a legitimate email account or create a spoofed address that closely resembles a trusted sender.

2. Monitoring communications

The attacker quietly monitors email conversations to understand payment processes, vendors, and internal workflows.

3. Trust building

Attackers often wait until the right opportunity appears — such as an invoice payment or contract negotiation.

4. Fraudulent request

An urgent message is sent requesting a wire transfer, invoice payment, or sensitive data.

5. Financial theft or data exposure

Funds are transferred or confidential information is compromised.

6 most common types of Business Email Compromise (BEC) are:

• CEO Fraud
• CFO Fraud
• Personal email compromise (PEC)
• Spoofed lawyer or real estate email accounts
• Tax information Requests (W-2 / T4)
• Gift card fraud

As new technologies emerge, threat actors work quickly to adapt their techniques and evolve their use of these technologies to carry out more sophisticated and costly BEC attacks. 

Defending against Business Email Compromise (BEC) Attacks

With BEC lures that are continually evolving to rely on payload less attacks, organizations must turn to advanced solutions with help from Artificial Intelligence (AI). 5 components to help protect against BEC are: 

1. Multi-Factor Authentication (MFA)
2. Advanced Email Security Tools
3. Authentication Protocols.
4. Process Controls
5. User Training

What to Look for in an Advanced Email Security Solution

One of the best safeguards against BEC attacks, is to use an Email Security solution that has BEC protection built in. Organizations should look for a solution that:

• Defends against BEC threats by identifying anomalous activity and building a social graph of user interactions, analyzing risky phrases and semantic intent to determine an email’s purpose.
• Provides comprehensive BEC protection by not relying solely on AI to identify patterns and abnormalities, but instead, requires an approach that combines AI with proven indicators from signatures and threat feeds, ensuring attacks are stopped at the point of detection.
• Delivers insight on what is blocked and why by easily triaging each BEC detection then providing information on not only what policy triggered the detection, but also the risky characteristic that led to the decision to block. 
• Makes policy modeling simple through historical analysis of messages, identifying the impact of a policy change and determining the potential messages that could be caught at each level of sensitivity.

Help Stop BEC Attacks!

If you think you’ve been the victim of a business email compromise scam, Report it! And talk about it!

Report it: BEC scams are a criminal offense. Even if funds weren’t transferred, it is wise report the incident to local police, your financial institution and the Canadian Anti-Fraud Centre. These reports are valuable tools for investigators.

Talk about it: If you’ve fallen victim to a scam or even received a spoofed email, tell your story. Knowledge is power. Spreading the word helps prevent others from falling victim to these scams.Learn more about how Ridegell Consulting can help your organization stop business email compromise or get a free threat scan, no commitment or payment details needed.