Business Email Compromise: How Small Businesses Get Hit and How to Stop It

The most common question I get after a small business has been hit by a wire fraud: "How did this get through our email filter?" The answer is that BEC attacks are not designed to get through your email filter. They are designed to look like email that belongs in your inbox — from someone you trust, about something that sounds urgent, asking for something your business does all the time.

The FBI’s Internet Crime Report consistently places business email compromise at the top of financial cybercrime losses — not because it is the most common attack type, but because each successful incident moves significantly more money than a ransomware payment, and the funds are almost always gone before anyone realizes what happened. Unlike ransomware, BEC leaves no ransom note. It leaves a wire transfer confirmation and a vendor who says they never changed their banking information.

The three BEC attacks hitting small businesses right now

Business email compromise is not one attack — it is a category. The three variants most commonly targeting small businesses on the Central Coast are CEO fraud, vendor email compromise, and payroll diversion. Each exploits a different gap in your payment process.

CEO fraud is the simplest variant: an attacker spoofs or compromises an executive’s email address and sends a message to an employee in accounting or operations asking for an urgent wire transfer. The email usually invokes authority ("I need this done today before I get on my flight") and asks the employee to keep it quiet ("don’t go through the normal process, just handle this for me"). Gift card requests follow the same pattern — they are easier to pull off because they require no banking information and the purchase can happen in minutes.

Vendor email compromise is more sophisticated and more expensive. Attackers either compromise the real email account of a vendor you pay regularly or create a nearly identical spoofed domain. When your next invoice arrives, the banking details have changed. Because you have paid this vendor for years and the email looks identical to every previous one, your team processes the payment without question. By the time the real vendor calls about an overdue invoice, the funds have already moved through several accounts.

Payroll diversion targets HR and finance separately: an attacker impersonates an employee and emails HR or your payroll processor asking to update their direct deposit account before the next pay run. The attacker’s bank account collects one or two payroll cycles before the real employee notices their deposit never arrived. This variant is especially effective because payroll changes are routine and HR processes them without a second approval.

Why small businesses are the primary target

Large enterprises have dedicated finance teams with separation-of-duties controls, dual-approval workflows, and security operations centers watching for anomalous payment activity. Small businesses have one bookkeeper, one owner approving wire transfers, and a payment process built on trust rather than verification — because until something goes wrong, trust is faster.

Attackers know this. They also know that small business owners are more reachable. Your email address, your vendors’ names, and your payment patterns are often visible in public records, LinkedIn, local business directories, and domain registration data. It takes a few hours of open-source research to build a convincing BEC email targeting a 12-person company. The return on that investment, when successful, is often $50,000 or more in a single transaction.

The Central Coast economy adds a specific vulnerability: many small businesses here have long-standing vendor relationships with agriculture suppliers, logistics companies, and construction contractors where large invoices are normal and payment timelines are established. An attacker who spoofs a known vendor in one of those industries is working with an already-trusted name and an already-familiar dollar range.

The controls that actually stop BEC

BEC is stopped by a combination of technical controls and process controls. Either one alone is insufficient — technical controls can be bypassed through account compromise, and process controls fail when urgency and authority override them. You need both layers.

Technical controls:

Multi-factor authentication on every email account is the single highest-impact control for BEC. Most vendor email compromise attacks begin with a legitimate account being compromised via credential theft or password spray. MFA eliminates the vast majority of account takeover attempts. If your team is on Microsoft 365, Conditional Access policies can enforce MFA on every sign-in, on every device, with no exceptions for the CEO or the owner.

DMARC enforcement on your own domain stops attackers from spoofing your email address to target your customers or vendors. It also signals to receiving mail servers how to handle email claiming to be from your domain. A DMARC policy set to p=reject means email that fails your SPF and DKIM alignment gets dropped, not delivered. This matters both for protecting your reputation and for stopping inside-out BEC attacks where someone impersonates your company to a vendor you both share.

Your email gateway should have anti-impersonation rules enabled. Microsoft 365 Defender and most third-party secure email gateways include impersonation protection that flags emails claiming to come from your CEO or your most-emailed vendors when the actual sending domain does not match. Enable it, review the detections quarterly, and tune it to your vendor list.

Process controls:

The single most effective process control is a mandatory verbal callback policy for any payment change: any request to update banking information, wire funds to a new account, or change payroll details must be confirmed by phone using a number from your existing records — not a number provided in the email. This policy must be non-negotiable, including when the request appears to come from the owner. Attackers rely on the social pressure of authority to skip verification. Removing the option to skip eliminates that leverage.

Dual-approval for wire transfers above a threshold (typically $5,000–$10,000 for small businesses) means one employee requesting and a second employee approving, with neither approval done under deadline pressure from a third party. If your banking platform supports positive pay or wire controls, configure them. Most business banking platforms have controls that your bank can activate in 30 minutes.

Train your team to recognize the pattern: urgency plus authority plus a request to bypass normal process is the signature of a BEC attempt, regardless of who the email appears to be from. Run a BEC-specific scenario in your next phishing simulation — CEO gift card request and vendor banking update are both available in every major phishing simulation platform and are consistently among the highest click-rate attack types.

FAQs about business email compromise

What is business email compromise (BEC)?

Business email compromise is fraud where attackers impersonate a trusted person — your CEO, a vendor, your attorney, or a payroll system — via email to trick an employee into sending money or changing payment details. It does not use malware. It relies entirely on social engineering and the authority your organization places behind certain email senders. The FBI consistently ranks BEC as the top financial cybercrime by total dollar losses. The average loss per incident for small businesses is between $50,000 and $130,000, and most transfers are irreversible once sent.

What are the warning signs of a BEC email?

BEC emails share a reliable signature: urgency that discourages a phone call or second approval; a request to change payment details delivered only by email with no prior conversation; a sender address with a subtle domain variation (ghosxt.co instead of ghosxt.com); an executive requesting something outside normal process; and a confidentiality request that discourages you from looping in anyone else. The most reliable response to any of these signals is a verbal confirmation using a phone number from your own records — not a number provided in the suspicious email.

Does cyber insurance cover BEC losses?

Coverage for BEC varies significantly by policy. Many standard cyber insurance policies exclude voluntary payment fraud — meaning if your employee chose to send the wire transfer (even under deception), the insurer may deny the claim because the transfer was authorized. To be covered, you typically need a social engineering fraud or crime rider added explicitly to your policy. Underwriters also increasingly require MFA on email and a documented payment verification policy as conditions for coverage. Review your policy language before assuming BEC losses are included.

My vendor’s email was compromised — am I liable for paying them again?

This is primarily a civil and contractual question, not a cybersecurity one, and the answer varies by your contract with the vendor and your state’s law. In general, if your payment process included reasonable verification steps and you were defrauded through a compromise of your vendor’s own email system, you may have grounds to argue you fulfilled your obligation. However, if your own email was compromised or your verification process was inadequate, the analysis changes. Engage legal counsel before making any payment commitments in a dispute like this. The practical answer for prevention is the callback policy: if you verified the change by phone and the call went to a legitimate number on file, your risk exposure is significantly lower.

Prefer to talk first? Email sales@ghosxt.com or call (831) 204-0501.