Why Business Email Compromise is the most expensive cybercrime most firms still aren’t taking seriously enough
A finance director at a professional services firm received an email from a long-standing supplier. The branding was correct. The sender name was correct. The email address looked right at a glance. The message explained that the supplier’s banking details had changed, and asked for the update to be applied before the next payment run.
The payment was processed. The money was gone. The supplier had never sent the email.
This is Business Email Compromise — and it is not a sophisticated attack. It requires no malware, no technical intrusion, no inside access. It requires only a convincing email and a process that relies on email to verify financial instructions.
The FBI’s Internet Crime Complaint Center reported over $2.9 billion in BEC losses in a single year in the US alone. Globally, the figure is substantially higher — and that only accounts for reported cases. The actual number is significantly larger.
The uncomfortable truth is that most of this fraud is not a failure of technology. It is a failure of process — specifically, the process of relying on email to manage financial relationships.
Why Email Is the Wrong Tool for Financial Interactions
Email was designed for communication. It was never designed to verify identity, protect document integrity, or serve as a trusted channel for financial instructions. Yet for most businesses, it is all three.
The fundamental problem is that email is easily spoofed, easily intercepted, and impossible to lock down once a message is sent. A fraudster does not need to hack your system. They need to register a domain that looks like your supplier’s, craft a convincing message, and wait. Your finance team does the rest.
Even where email security tools are in place — spam filters, DMARC policies, phishing detection — they are fighting an arms race they cannot win. Over 3 billion phishing emails are sent every day. Attackers iterate faster than defences adapt. And it only takes one.
The deeper issue is structural. Email separates documents from the conversations around them — and that gap is where fraud happens. A PDF arrives as an attachment. The instruction to action it arrives in a message thread. A bank detail is in a file. The context — who asked for it, who approved it, whether it matches what was agreed — is scattered across replies, forwards, and inboxes that no one fully controls. The integrity of the document tells you nothing about the integrity of the conversation. An attacker doesn’t need to tamper with the file. They just need to tamper with the message telling you what to do with it.
How BEC Actually Works — and Why It’s So Effective
Business Email Compromise takes several forms, but the most financially damaging follow a predictable pattern.
The fake supplier update
An attacker monitors email traffic between your business and a supplier — either by compromising an inbox, or simply by researching the relationship. At the right moment, they send a message appearing to be from the supplier, advising that banking details have changed. Payments are redirected. The fraud is often not discovered until the legitimate supplier chases an overdue invoice.
The CEO instruction
A message appears to come from a senior executive — a CEO, CFO, or managing partner — requesting an urgent transfer, often with a reason that discourages verification (a confidential acquisition, a regulatory deadline, a sensitive matter that can’t be discussed internally). The recipient, not wanting to question a senior figure, complies.
The man-in-the-middle
An attacker inserts themselves into an ongoing email thread — often after compromising one party’s inbox — and begins subtly redirecting the conversation. By the time a payment instruction is issued, both parties believe they are communicating with each other. Neither is.
What makes all three variants so effective is their simplicity. They exploit trust, urgency, and the absence of any reliable way to verify identity through email. No technical expertise is required on the victim’s side. The attack surface is the inbox itself.
The Industries Most at Risk
BEC affects businesses of every size and sector, but certain industries face disproportionate exposure.
Law firms handle large client funds, manage complex multi-party transactions, and regularly communicate payment and banking instructions by email. A single compromised thread in a property transaction or corporate deal can result in six or seven-figure losses.
Real estate transactions are a particular target. The combination of large sums, multiple parties, tight deadlines, and email-based coordination creates near-ideal conditions for fraud. Solicitors, estate agents, mortgage lenders, and buyers all share information across open email channels — any one of which can be compromised or spoofed.
CPAs and accountancy firms handle sensitive financial data and communicate regularly with clients about tax payments, payroll, and disbursements. The trusted relationship between accountant and client makes a spoofed instruction from either direction highly credible.
Family offices and wealth management firms manage significant assets and often work across multiple advisors, entities, and geographies — creating a complex web of email-based financial communication that is difficult to monitor and easy to exploit.
In each case, the vulnerability is the same: financial instructions travelling through a channel that cannot verify the identity of the sender, cannot guarantee the integrity of the content, and cannot prevent an outsider from inserting themselves into the conversation.
The Process Problem
Most organisations respond to BEC risk with training. Staff are taught to spot phishing emails, to verify unusual requests by phone, to check sender addresses carefully. These measures help, but they treat the symptom rather than the cause.
The cause is a process that places email at the centre of financial relationships — as the channel through which banking details are shared, payment instructions issued, and approvals confirmed. As long as that process remains in place, the risk remains. You cannot train your way out of a structural vulnerability.
The phone verification workaround — call the supplier to confirm the bank change — is better than nothing, but it is not a solution. Call numbers can be spoofed. Verification calls can be intercepted. And in practice, under time pressure, with a long-standing supplier, the call often doesn’t happen.
What is needed is not a better workaround. It is a different process entirely.
What a Secure Financial Communication Channel Looks Like
The principle is straightforward: remove email from the interactions where identity, integrity, and accountability matter most — and replace it with a channel where all three are guaranteed by design.
But the channel has to do more than protect files. It has to keep documents and the conversations about them together, in the same verified environment, so that neither can be separated, spoofed, or tampered with independently. A secure file share solves half the problem. A secure file share with integrated, authenticated messaging solves it properly — because the instruction and the document it refers to are inseparable, both protected, both traceable back to a verified identity.
Verified identity, not assumed identity
In a properly constructed secure channel, every person who accesses it is authenticated. There are no shared links that can be forwarded to the wrong person, no anonymous access, and no way for an outsider to insert themselves into the conversation. You know exactly who you are communicating with, every time — not because you trust the email address, but because the platform has verified it.
Document integrity, not document trust
Most approaches to secure document sharing focus on the file itself — encrypting it in transit, controlling who can download it, logging who opened it. That matters. But it misses half the problem.
In a real financial interaction, the document is rarely the whole story. Banking details arrive in an attachment, but the instruction to action them comes in the message thread. A payment request is a PDF, but the approval happens in the reply chain. An invoice is a file, but the context — who asked for it, who authorised it, whether the details match what was agreed — lives in the conversation around it.
When documents and messages travel separately, through different systems with different security postures, the integrity of one tells you nothing about the integrity of the other. A fraudster doesn’t need to tamper with the PDF. They just need to tamper with the message telling you what to do with it.
A secure channel that keeps documents and conversations together — in the same verified, encrypted environment — closes that gap. Both parties can see not just what was sent, but what was said about it, who said it, and when. The document and its context are inseparable. Neither can be altered without detection. And because every participant in that channel has been authenticated, there is no question about who you are actually communicating with.
That is a fundamentally different proposition to a secure file share. It is the difference between protecting a document and protecting a relationship.
Enforced approval workflows
High-value financial actions — changes to banking details, payment authorisations, new supplier registrations — should require multiple verified sign-offs before they can proceed. An enforced approval workflow, with an identity-verified audit trail, makes it structurally impossible for a single fraudulent instruction to move money without challenge. The control is built into the process, not bolted on as a reminder.
A permanent, closed connection
Unlike email, which is open by design, a secure B2B channel is closed. The right people on both sides have access. The wrong people never do. When a contact leaves, access is revoked. When a new contact needs to be added, they are authenticated before they can participate. The channel becomes the trusted infrastructure for the relationship — stable, verified, and permanent.
Separating Financial Interactions from General Communication
One practical approach that is gaining traction is the separation of financial interactions from general business communication — even within the same relationship.
A business might maintain one channel for project communication with a supplier, and a separate, dedicated channel for financial interactions: banking details, payment requests, invoice approvals. The finance team on each side has direct, verified access to the financial channel, without it being mixed with contract discussions, deliverable reviews, or general correspondence.
This separation does two things. It reduces the risk of financial instructions getting lost in general email traffic. And it makes it structurally harder for an attacker to insert themselves into a financial conversation by compromising an operational email thread — because the financial conversation is happening somewhere else entirely, in a channel they cannot access.
The Audit Trail That Protects You After the Fact
Even with the best controls in place, the question of what happened — and when, and who authorised it — will eventually arise. In a fraud investigation, an insurance claim, or a regulatory inquiry, the ability to produce a clear, immutable record of every communication, document access, and approval in a financial relationship is not just useful. It is often decisive.
Email cannot provide this. Threads are deleted. Timestamps are unreliable. Attachments detach. Conversations happen across multiple inboxes, none of which tell the complete story. The record is incomplete by design.
A purpose-built secure channel maintains a complete log of every action: who sent which message, who accessed which document, when, what was approved, and by whom. Conversations and documents are part of the same record — not separate systems that have to be manually reconciled after the fact. When you need to demonstrate what happened, it is all there, in sequence, tied to verified identities. That is the difference between being able to prove what occurred and having to reconstruct it from fragments.
Moving Forward
Business Email Compromise is not going away. The returns are too high, the barrier to entry too low, and the attack surface — the global email infrastructure — too large and too open to defend at the perimeter.
The firms that will reduce their exposure are not the ones with the best spam filters or the most rigorous staff training programmes. They are the ones that change the process — that move the financial interactions that matter most out of the inbox and into a channel where identity is verified, integrity is guaranteed, and accountability is built in.
Every payment instruction that travels through email is a risk. Every banking detail shared in an attachment is an exposure. Every conversation about a financial decision happening across open inboxes is a vulnerability waiting to be exploited. The document and the conversation around it are equally dangerous when they are unprotected — and equally valuable to an attacker who can manipulate either one.
The question is not whether your organisation will be targeted. It is whether, when it is, your process gives the attacker anything to work with.
The best defence against email fraud is a process that doesn’t depend on email.
