Business Email Compromise: Stop Wire Fraud in 2026

No malware. No ransomware note. Just a routine-looking email asking finance to update a vendor's bank details or push through an urgent wire, and millions of dollars gone. Business Email Compromise (BEC) is one of the costliest cybercrimes by dollar value, and the FBI's Internet Crime Complaint Center (IC3) puts recent annual losses in the billions. The attack barely looks like an attack, which is exactly why it works. Here is how BEC operates and the controls that actually stop it.

Key takeaways

• BEC tricks an employee into sending money or sensitive data by impersonating an executive, vendor, or trusted partner over email.
• The FBI's IC3 logged tens of thousands of BEC complaints and billions in reported losses in its latest annual report, with losses still rising year over year.
• The vast majority of BEC losses move by wire transfer or ACH, fast, hard-to-reverse rails.
• The single most effective control is out-of-band verification: confirm any payment or bank-detail change by calling a known number, never one in the email.
• If you are defrauded, report to IC3 within 72 hours, the FBI's recovery team has frozen large sums when alerted fast.

How BEC works

BEC is social engineering aimed at the people who move money. The common patterns:

• CEO/executive fraud. A spoofed or compromised executive mailbox emails finance demanding an urgent, confidential wire, often timed when the executive is traveling and hard to reach.
• Vendor/invoice fraud. The attacker impersonates a real supplier (sometimes from a genuinely hijacked vendor mailbox) and sends a legitimate-looking invoice with new bank details. Future payments route to the criminal.
• Payroll diversion. An email "from" an employee asks HR to change their direct-deposit account.
• Account compromise. Attackers take over a real internal mailbox, watch conversations to learn tone and timing, then strike from inside, making the request nearly indistinguishable from normal business.

The genius of BEC is its restraint. There is no obvious payload to detect; it is a believable request, arriving at a believable moment, asking for a believable action.

Each variant has a tell, and each maps to a specific control. Knowing which one you are looking at tells you exactly what to verify:

BEC variant	Who it impersonates	The tell	What stops it
CEO/executive fraud	A senior leader, often "traveling"	Urgency plus secrecy, no normal channel	Out-of-band call to the executive
Vendor/invoice fraud	A real supplier	New bank details on a known invoice	Verify changes via a number on file
Payroll diversion	An employee to HR	Sudden direct-deposit change by email	Confirm with the employee in person
Account compromise	An internal colleague (real mailbox)	Perfect tone, hidden inbox rules	Phishing-resistant MFA, rule alerts

The controls that stop BEC

1. Verify out-of-band, always. Before sending money or changing payment details, call the requester or vendor on a number you already have on file, never a phone number or contact from the email itself.

2. Require dual authorization for wire transfers above a threshold, so no single employee can move funds alone.

3. Lock down email with phishing-resistant MFA. Most internal mailbox takeovers start with a phished or stuffed password. Passkeys and security keys make a stolen password useless.

4. Deploy email authentication, SPF, DKIM, and DMARC, to make outright domain spoofing far harder.

5. Flag external and lookalike senders. Banner external email, and watch for cousin domains (vend0r-co.com instead of vendor-co.com).

6. Alert on inbox rule changes. Attackers who get in often create hidden forwarding or auto-delete rules to hide their tracks. Monitor for new mailbox rules.

7. Train finance, HR, and executives specifically. They are the targets. Teach the verification habit and make it stigma-free to pause a request.

BEC overlaps heavily with other 2026 threats: AI now writes flawless, context-aware lures (see defending against AI phishing), and deepfake voice is used to back up a fraudulent email with a convincing "confirmation" call, a reason to agree on verbal code words, as covered in our deepfake voice-scam guide.

If you have been hit: the 72-hour rule

Speed determines whether you get the money back.

• Contact your bank immediately and request a recall/reversal of the wire or ACH. The sooner you act, the better the odds the funds are still recoverable.
• Report to the FBI's IC3 at ic3.gov as fast as possible. The IC3 Recovery Asset Team can work with banks to freeze fraudulent transfers, and reporting within 72 hours of authorizing the transfer gives the best chance of clawback. The team has frozen substantial sums with a meaningful success rate when alerted quickly.
• Preserve evidence. Keep the emails, headers, wire confirmations, and a timeline.
• Contain the breach. If an internal mailbox was compromised, force a password reset and MFA re-enrollment, kill active sessions, and remove malicious inbox rules.

What to do tonight

You do not need a security team to close most of the BEC gap. Knock these out this week:

• Write the verification rule down and make it policy: no wire and no bank-detail change goes through without a callback to a number already on file. Make pausing a request explicitly safe, never a sign of distrust.
• Set a dual-authorization threshold for wires and ACH, so no single person can move funds above it alone.
• Turn on phishing-resistant MFA for email, starting with finance, HR, and executives. Passkeys and security keys make a stolen password useless.
• Banner external email and set an alert for new inbox forwarding or auto-delete rules, the classic sign of a hijacked mailbox.
• Save the response runbook where finance can find it in seconds: your bank's fraud line, the IC3 URL (ic3.gov), and the 72-hour deadline.
• Run one tabletop drill. Walk finance through a fake "urgent vendor change" so the verification habit is muscle memory, not theory.

Frequently asked questions

What makes BEC so costly compared to other scams?

It targets the money-movement process directly and uses fast, hard-to-reverse rails, wire and ACH. There is no malware to detect, and a single successful request can move six or seven figures, which is why reported losses run into the billions annually per the FBI's IC3.

How is BEC different from regular phishing?

Phishing usually casts a wide net for credentials or malware clicks. BEC is targeted social engineering aimed specifically at someone who can move money or change payment data, often using a spoofed or genuinely compromised legitimate mailbox to make the request credible.

What is the single best defense?

Out-of-band verification. Confirm every payment request or bank-detail change by phone using a number you already trust, not one supplied in the email. That one habit defeats the core of nearly every BEC attempt.

I sent a fraudulent wire. What do I do first?

Call your bank immediately to attempt a recall, then report to IC3 at ic3.gov, ideally within 72 hours. Fast reporting is what enables the FBI's recovery team to freeze the funds before they are dispersed.

Does cyber insurance cover BEC losses?

Often, but not automatically. Many policies cover "social engineering fraud" only as an add-on with its own sub-limit, and some require that you followed your own verification procedures for the claim to pay. Read the social engineering clause specifically, confirm the sub-limit is realistic for the wires you actually send, and document your controls, because an insurer may deny a claim if a basic callback step was skipped.

The bottom line

BEC succeeds because it weaponizes normal business, a familiar name, a plausible request, a tight deadline. There is no signature for a polite email asking to update a bank account. Your defense is process: verify every money move out-of-band, require dual approval, lock email behind phishing-resistant MFA, and rehearse the 72-hour IC3 response. Build those habits before the convincing email arrives, because it will.