Business email compromise: Recognize and prevent scams

Cybercrime against businesses continues to escalate, and one of the biggest threats is business email compromise (BEC).

According to the FBI Internet Crime Complaint Center (IC3), BEC fraud remains the second highest loss category across all cybercrime, with annual losses in recent years approaching $3 billion.

Protecting their companies from BEC scams needs to be a priority for all business financial managers.

What is BEC fraud?

Business email compromise is an umbrella term for a set of fraud schemes in which criminals exploit email — often without malware or suspicious links — to impersonate trusted people or organizations and manipulate victims into taking harmful actions.

As illustrated in the image below, business email compromise has evolved into several closely related variants, including traditional BEC, email account compromise (EAC) and vendor email compromise (VEC). While the setup differs slightly across these types, the underlying pattern is the same: Attackers either spoof or take over legitimate email accounts, study normal communication patterns and then send messages that appear routine, urgent and authentic. The goal is typically financial — such as redirecting payments or authorizing fraudulent wire transfers — but may also involve stealing sensitive data or credentials.

Because these emails look legitimate and align with normal business processes, business email compromise attacks are difficult to detect and frequently succeed even in organizations with strong technical security controls.

Unlike traditional phishing, BEC phishing messages are typically:

• Plain‑text emails (no links or attachments)
• Timed to coincide with legitimate business activity
• Customized to the target’s role and authority

Because they lack obvious technical indicators, these attacks routinely bypass email security tools and rely instead on human trust and process gaps.

The rise of vendor email compromise

VEC is a specialized and increasingly dominant subset of business email compromise fraud. In a VEC attack, criminals impersonate — or directly compromise — the email account of a legitimate vendor or supplier, then use that established relationship to defraud the vendor’s customers.

VEC is also referred to as financial supply chain compromise, reflecting its ability to propagate fraud across multiple organizations through a single trusted vendor.

VEC is extremely successful because vendor emails are expected, frequent and routine; invoice and payment updates are common and rarely questioned; and the attacker often has access to real invoices, amounts and timing. Studies show that over 44% of VEC emails that reach inboxes are engaged with, and nearly 99% go unreported, dramatically increasing attacker success rates.

How VEC attacks work

1. Attackers gain access to a vendor’s email account through phishing, credential reuse or legacy authentication weaknesses.

2. Once inside the mailbox, attackers monitor communications for invoice schedules, payment approval workflows, and authorized signatories and escalation paths. This reconnaissance phase can last weeks or months, allowing attackers to perfectly time their fraud.

3. At a critical moment, the attacker sends an email requesting:

• Updated wire instructions
• A “temporary” banking change
• Reissuance of a pending payment

Because the request aligns with legitimate activity, it often bypasses scrutiny.

4. Funds are rapidly moved through domestic and international accounts, frequently passing through intermediary banks before final withdrawal.

A real‑world VEC example

Scenario: A manufacturing company receives a routine email from a longstanding logistics vendor stating that “due to a banking audit,” upcoming invoice payments must be sent to a new account.

The invoice amount, format and timing all match prior payments. The accounts payable clerk updates the vendor profile and releases a $485,000 wire.

Two weeks later, the legitimate vendor inquires about the unpaid invoice.

The root cause for this fraud loss? The company had no out‑of‑band verification for vendor banking changes.

This sample case mirrors thousands of cases reported annually to the FBI.

Why BEC scams like vendor email compromise remain so successful

BEC fraud attacks rely on social engineering, not exploits. As a result, they evade traditional security tools that look for malware or malicious links.

Business processes incentivize speed of payments, consequently payment teams are often trained to avoid processing delays and maintain vendor relationships. Perpetrators of BEC fraud exploit this operational pressure.

Many organizations have policies requiring payment verification — but lack segregation of duties and auditability. As a result, policies fail to prevent BEC fraud such as vendor email compromise precisely when urgency is introduced.

Protections and best practices

There are four key strategies organizations should consider implementing to protect against vendor email compromise:

1. Vendor-change verification controls

• Require out‑of‑band independent verification for all banking changes.
• Enforce dual approval for vendor updates.
• Implement mandatory cooling‑off periods before changes take effect.

2. Email authentication and technical safeguards.

• Use email authentication protocols DMARC, SPF and DKIM to reduce domain spoofing.
• Employ multifactor authentication (MFA) for all email accounts.
• Disable legacy email authentication protocols.

3. Payment process improvements

• Separate vendor setup from payment release.
• Prohibit payment changes via email alone.
• Maintain audit trails for verification steps.

FBI and financial industry analyses consistently show that process enforcement, not awareness training alone, prevents loss.

4. Training focused on real scenarios

Traditional phishing training is not sufficient to understand VEC. Effective training programs should include:

• VEC‑specific simulations
• Invoice‑change red flag training
• Reinforcement that “urgency” is a fraud indicator

VEC succeeds not because organizations lack technology, but because trusted relationships and routine processes remain weakly protected. As attackers continue to refine social engineering techniques, the VEC variant of business email compromise will remain one of the most financially damaging fraud threats facing businesses.

The good news is that VEC is highly preventable. Organizations that enforce verification, harden vendor processes and treat payment changes as high‑risk events dramatically reduce exposure.

For more on how to protect your organization from business email compromise scams, check out our fraud prevention checklist.

Business email scams are on the rise as more employees are working from home. Contact U.S. Bank for help with your fraud prevention plan.

References

Federal Bureau of Investigation (FBI), Internet Crime Complaint Center (IC3).
Business Email Compromise: The $55 Billion Scam. Public Service Announcement,
September 2024.
https://www.ic3.gov/PSA/2024/PSA240911

Federal Bureau of Investigation (FBI).
2024 Internet Crime Report. Washington, DC, April 23, 2025.
https://www.ic3.gov/Media/PDF/AnnualReport/2024_IC3Report.pdf

Nacha – The Electronic Payments Association.
FBI’s IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in the Last Three Years. January 2026.
https://www.nacha.org/news/fbis-ic3-finds-almost-85-billion-lost-business-email-compromise-last-three-years

Cloudflare.
What Is Vendor Email Compromise (VEC)? Cloudflare Learning Center.
https://www.cloudflare.com/learning/email-security/what-is-vendor-email-compromise/

Cybersecurity and Infrastructure Security Agency (CISA).
Enhance Email and Web Security. U.S. Department of Homeland Security.
https://www.cisa.gov/resources-tools/resources/enhanced-email-and-web-security

National Institute of Standards and Technology (NIST).
SP 800‑177 Rev. 1: Trustworthy Email. NIST Computer Security Resource Center, February 2019.
https://csrc.nist.gov/publications/detail/sp/800-177/rev-1/final

Valimail.
Vendor Email Compromise (VEC): How Attackers Target Trust.
https://www.valimail.com/blog/what-is-vendor-email-compromise/

Hylant Cyber Risk Services.
Vendor Email Compromise (VEC): How to Detect, Prevent, and Protect Your Business. January 2026.
https://hylant.com/insights/blog/vendor-email-compromise-vec-how-to-detect-prevent-and-protect-your-business

CertifID
2024 FBI IC3 Cybercrime Report: A Breakdown. April 2025.
https://www.certifid.com/article/fbi-ic3-cybercrime-report

INKY Technology.
What the FBI’s Latest Report Reveals About Email Threats in 2025.
https://www.inky.com/en/blog/what-the-fbis-latest-report-reveals-about-email-threats-in-2025