Business Email Compromise (BEC) is a fraud technique where attackers impersonate a trusted party — a CEO, a vendor, or a payroll contact — over email to trick an employee into wiring money or changing bank details. There is no malware and no exploit. The attacker researches a real transaction, spoofs or hijacks a trusted inbox, and times a payment-change request to land exactly when finance is least likely to double-check it. For Indian businesses running fast, lean finance teams, BEC has become one of the highest-value, lowest-effort attacks available to fraudsters.
What Business Email Compromise actually looks like
BEC is not one attack — it is a family of social-engineering scams that all abuse the same weakness: employees trust email more than they verify it. The FBI's Internet Crime Complaint Center (IC3) tracks BEC as the second-costliest category of cybercrime it receives complaints about — behind investment fraud, and far ahead of reported ransomware losses — and Indian organisations increasingly show up as both victims and unwitting mule-account intermediaries in these cases.
The common patterns:
- CEO fraud (executive impersonation): An email appearing to come from the founder or CFO instructs finance to make an "urgent, confidential" wire transfer — often while the real executive is travelling, which the attacker knows from LinkedIn or an out-of-office reply.
- Invoice fraud: Attackers intercept or spoof a genuine vendor thread and send a "corrected" invoice with a different bank account, timed to a real, expected payment.
- Vendor payment redirection: A compromised supplier mailbox is used to send an authentic-looking notice: "Our bank has changed, please update our account for future payments." Because the request rides on a real business relationship, it rarely triggers suspicion.
- Payroll diversion: An email posing as an employee asks HR to redirect their next salary credit to a "new" bank account, exploiting routine, low-friction payroll change processes.
How attackers research and time the attack
BEC success depends on believability, not on technical sophistication. Attackers typically:
- Harvest public signals — company websites, LinkedIn, GST/MCA filings, press releases, and vendor lists — to learn who approves payments and who the real vendors are.
- Compromise or spoof a mailbox — either through a prior phishing credential theft, a look-alike domain (
company‑name.comvscompanyname.com), or a display-name spoof that most inboxes don't visibly flag. - Monitor a real thread — in the more advanced cases, attackers sit inside a compromised vendor or executive mailbox for weeks, silently reading invoice and travel threads before acting.
- Time the ask — requests land during travel, festival closures, month-end payment runs, or right after a real invoice was due, so the request looks routine rather than anomalous.
- Apply urgency and authority — "This is time-sensitive," "Don't loop in anyone else yet," "Handle before EOD" — language designed to short-circuit the normal verification step.
Why BEC bypasses traditional security controls
Firewalls, antivirus, and even most email security gateways are built to catch malicious attachments, links, and code. BEC emails typically have none of those. A well-crafted BEC message is plain text, contains no payload, and comes from an address that either is the real vendor's compromised account or looks close enough to pass a quick glance.
This is why BEC is fundamentally a process and identity problem, not a malware problem:
- No attachment, no link, no exploit — nothing for a sandbox or antivirus engine to detonate or flag.
- Domain spoofing exploits missing email authentication — without DMARC, DKIM, and SPF properly enforced, it's trivial to send mail that appears to originate from a legitimate domain.
- Social engineering targets a person, not a system — the "vulnerability" is a finance executive under time pressure, not a piece of software.
- Legitimate-looking context — because the attacker references a real invoice, a real trip, or a real vendor name, the email doesn't read as suspicious in isolation.
Know your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanBEC attack types by share of incidents
Public BEC-loss reporting (IC3, industry incident-response data) consistently shows invoice and vendor-impersonation fraud as the largest sub-categories, with CEO/executive impersonation and payroll diversion also recurring. Exact proportions vary by report and region, but the pattern below reflects the commonly observed distribution across BEC case types.
Why Indian businesses are exposed
Indian SMBs and mid-market firms are attractive BEC targets for a specific set of reasons:
- Founder-led approvals: Small and mid-size Indian companies often route high-value payment approvals directly through the founder or a single finance lead over WhatsApp and email — a workflow that's fast for legitimate business but easy to impersonate.
- Cross-border vendor relationships: Import/export firms, IT services companies, and manufacturers dealing with overseas vendors are frequent BEC targets because international wire transfers are harder to claw back and less scrutinised than domestic NEFT/RTGS.
- Thin finance teams: A two- or three-person finance function has less capacity for a formal, independent verification step before every payment-detail change.
- Weak email authentication hygiene: Many Indian SMB domains still lack enforced DMARC policies, making both direct spoofing and look-alike domain registration easier for attackers.
Practical BEC prevention checklist
| Control | What it does | Priority |
|---|---|---|
| Verification callback on a known number | Confirms any payment or bank-detail change directly with the person, never by replying to the same email thread | Critical |
| Dual approval for payment/bank changes | Requires a second, independent person to sign off before any vendor or payroll bank detail is updated | Critical |
DMARC set to p=reject or p=quarantine | Stops spoofed mail claiming to be from your own domain from reaching recipients | High |
| SPF and DKIM correctly configured | Authenticates legitimate outbound mail so receiving servers can validate your domain | High |
| Look-alike domain monitoring | Flags newly registered domains that closely resemble your company or key vendors | Medium |
| Finance team BEC awareness training | Teaches staff to recognise urgency language, off-thread requests, and last-minute detail changes | High |
| Travel-window payment freeze/escalation | Adds extra scrutiny to payment requests during known executive travel or leave periods | Medium |
| Vendor bank-detail change register | Maintains a verified, versioned record of each vendor's confirmed bank details, checked before every payment | High |
What to do if you suspect a BEC incident
- Do not send further payments on the affected thread until the request is independently verified.
- Contact your bank immediately to attempt a wire recall — the window to reverse a fraudulent transfer is measured in hours, not days.
- Preserve the email headers and full thread for investigation; do not delete the message.
- Report the incident to CERT-In (cert-in.org.in) as required for significant cyber incidents, and to your bank's fraud desk.
- Reset credentials and review mailbox rules on any account suspected of compromise — attackers often set silent forwarding rules to keep monitoring a mailbox after the initial fraud.
- Run a technical review of your email authentication (SPF/DKIM/DMARC) and any exposed infrastructure to close the gap that allowed spoofing or compromise in the first place.
Organisations handling personal data as part of vendor or payroll records should also review their obligations under India's data protection law — see our DPDP compliance guide for what applies to your business.
Closing thought
BEC will keep working as long as "reply to confirm" is treated as verification. The fix isn't exotic: authenticate your domain's email so spoofing is rejected outbound, and make every payment-detail change go through a channel the attacker cannot also control. Dhisattva AI Pvt Ltd built this scanning capability to catch the technical half of that gap — the financial-controls half is a policy decision your team can make today, for free, before the next invoice lands.
For more guides on practical security controls for Indian businesses, visit the Bachao.AI blog.