Most email security focuses on the same set of threats: links that lead to fake login pages, attachments that install malware, messages designed to steal your password. Those threats are real, and the defenses against them are well established.
Business email compromise is different. There is usually no link to click and no attachment to open. The attack is simpler and harder to catch because it looks like a normal internal request.
How it works
Someone sends an email that looks like it came from your CEO, your finance director, or a vendor you work with regularly. The message asks for something specific: a wire transfer to an unfamiliar account, a change to the banking details on file for a vendor, an urgent invoice that needs processing today, a gift card purchase to be reimbursed later.
The urgency is part of the setup. So is the apparent authority. The message comes from someone whose requests you would not normally question, and it asks for something that sounds plausible. If the person receiving it does not look carefully, they do what was asked.
The amounts vary. Some attempts are small, designed to test whether the channel works. Others are large. Businesses have lost significant amounts to a single attempt that looked like a routine payment.
Why it is harder to catch than phishing
Standard phishing tries to steal credentials. Business email compromise tries to steal money or redirect payments. The target is usually whoever handles finances, not the whole company.
The emails are often crafted to match how your company actually communicates. In some cases, the attacker has spent weeks watching email traffic before sending anything. They know the names of the people involved, the relationships, and what kinds of requests make sense. The message does not need a suspicious link because it is not trying to take you to a fake website. It just needs you to respond and act.
Some versions involve actually compromising a real email account. The attacker gets into a legitimate inbox, monitors conversations, then sends a message at a moment that fits the context. When a response comes back, they intercept it. The entire thread looks legitimate because it is coming from the real account.
Who gets targeted
Any business that handles wire transfers, pays vendors, or has someone with financial authority is a potential target. Smaller businesses are attractive because they often lack controls that larger companies use: no requirement for dual authorization on transfers, no procedure for verifying payment changes out of band, no strict policy around wire requests made by email alone.
The most common variations: an executive requesting an urgent wire. A vendor sending updated account details for future payments. A message claiming to be from a law firm handling a confidential deal, requesting a transfer as part of the closing process.
What actually reduces the risk
The most effective defense is a procedure, not a technical control. Establish a rule that any wire transfer, any change to vendor payment details, and any large or unusual financial request requires a phone call to verify – using a number you already have on file, not one provided in the email that triggered the request. That single control stops most attempts.
On the technical side, email authentication settings make it harder to impersonate your domain when sending fake messages to others. Advanced email filtering can flag messages where the sender display name matches an internal person but the actual email address does not. These help, but they do not catch every variation.
The bigger piece is making sure people who handle payments understand what these attacks look like. Not through a generic security training video, but specifically: here is what a business email compromise attempt looks like, here is what made it convincing, here is what to do when something feels off. A one-sentence rule – call to verify any payment change – is more useful than hours of general training.
If any of this feels familiar, we can take a quick look at your setup and tell you what is actually worth fixing.