Business Email Compromise: How Attackers Target Small Businesses and How to Stop Them

Business email compromise (BEC) is a category of attack where criminals impersonate someone in — or connected to — your business to trick employees, clients, or vendors into sending money or sensitive information.

Unlike ransomware, BEC often leaves no malware footprint. It doesn't trigger antivirus alerts. It doesn't encrypt your files. It's a social engineering attack delivered through email — and by the time you realize what happened, the money is usually gone.

The FBI's Internet Crime Complaint Center consistently ranks BEC as the highest-loss cybercrime category. It's not just large enterprises: a dental practice receiving a spoofed invoice from their supply company, a real estate office receiving fake wire instructions from someone impersonating the title company, a small law firm receiving a fake payment request from what looks like a client — these happen every day.

CEO fraud / executive impersonation. The attacker impersonates your CEO, owner, or a senior executive — either by spoofing the email address or by compromising the actual account — and emails an employee with an urgent request to transfer funds or purchase gift cards. The urgency and authority combination is designed to bypass normal approval processes.

Vendor impersonation. The attacker impersonates a vendor your business regularly pays, sending an email notifying you that their banking details have changed. The new account details belong to the attacker. Your next payment goes to them.

Invoice fraud. A fraudulent invoice arrives that looks nearly identical to invoices from a real vendor. Minor variations — a different bank account, a slightly modified email address — are easy to miss when you're processing routine payments.

Account takeover. The attacker compromises an actual email account — usually through phishing or stolen credentials — and then uses the legitimate account to conduct fraud. These attacks are harder to detect because the email is genuinely from the right address.

Real estate wire fraud. Real estate transactions involve large wire transfers and multiple parties exchanging documents by email. Attackers intercept or monitor transactions and send fraudulent wire instructions at the critical moment — often with very convincing context.

Large enterprises have accounts payable departments, dual-control approval requirements, and dedicated security teams reviewing anomalous transactions. Small businesses often have one person handling finances, informal approval processes, and a culture where the owner's requests are acted on immediately.

Small businesses also tend to have weaker email authentication. Without DMARC enforcement, anyone can send email that appears to come from your domain. Without MFA, a single phishing attack can compromise your email account entirely. Without employee security awareness, urgent requests from authority figures get acted on without verification.

The combination of high-value targets (businesses handle real money) and limited defenses makes small businesses appealing targets — not in spite of their size, but because of it.

MFA on all Microsoft 365 accounts. Account takeover — where an attacker uses your legitimate email to conduct fraud — becomes much harder with MFA enabled. This is the single most impactful control for preventing BEC.

DMARC with a reject policy. A properly configured DMARC record with p=reject tells the world to block any email that fails authentication for your domain. This doesn't prevent account takeover, but it does prevent the simple spoofing attacks where someone sends email pretending to be you without accessing your account.

Mailbox rules audit. One of the first things attackers do after compromising an email account is set up forwarding rules or inbox rules that hide replies and forward copies of email to an external account. Auditing mailbox rules regularly — and alerting on new forwarding rules — helps detect compromise early.

Anti-impersonation policies in Defender for Office 365. Microsoft 365 Business Premium includes Defender for Office 365, which includes anti-impersonation policies that detect emails that appear to be from your executives or key contacts but fail authentication.

Technical controls alone aren't enough. BEC is fundamentally a social engineering attack, and the most important defenses are procedural.

Out-of-band verification for wire transfers. Establish a policy that any wire transfer request — even from a known executive or vendor — is verified by phone call to a known, pre-existing number before processing. Not a number provided in the email. This single policy prevents most BEC losses.

Banking change verification. Any request to update banking details for a vendor must be verified directly with the vendor using contact information from your records — not from the email requesting the change.

Employee training on BEC patterns. Your staff should know what CEO fraud looks like, how to recognize spoofed email addresses, and that it's always acceptable to verify an unusual financial request before acting on it. A 30-minute security awareness session covering BEC scenarios is one of the highest-ROI investments you can make.

Intragreat includes a BEC risk assessment as part of our free security review — checking your email authentication configuration, reviewing mailbox settings, and giving you a practical list of controls to implement.