Business email compromise (BEC) and CEO fraud

Business email compromise (BEC) is the FBI's #1 cybercrime by dollar losses — over $2.9 billion in reported US losses annually. An attacker either compromises a real corporate email account or convincingly spoofs one, then impersonates an executive, vendor, payroll contact, or attorney to direct a wire transfer, change vendor payment details, or extract sensitive HR data.

The classic variant: a "CEO" emails the controller during the CEO's business trip asking for an urgent wire to a new vendor for a confidential acquisition. The controller, eager to be helpful and trusting an executive's email, processes the wire. The wire goes to a money-mule account; the funds are gone within hours.

• CEO fraud. Executive impersonation requesting urgent wire.
• Vendor / supplier fraud. A real vendor's email is hijacked; an invoice arrives with "updated banking instructions." The next monthly payment goes to the attacker.
• Attorney impersonation. "I'm representing the CEO on a confidential deal — wire to escrow."
• Payroll redirect. Employee impersonation requesting HR change their direct-deposit account.
• W-2 / data theft. "CEO" asks HR for all employee W-2s — used for tax-refund fraud.
• Real-estate wire fraud. Real estate closing emails compromised; "updated wire instructions" sent to buyers right before closing. Often six-figure losses.
• Investor / capital-call fraud. Targets VCs and family offices with "capital call" wires.

• Email comes from a slightly-off domain — "company.co" instead of "company.com," or "ceo.firstname@gmail.com."
• Urgency framing — "I need this done today, I'm in a meeting and can't talk."
• Confidentiality framing — "don't mention this to anyone, it's a sensitive acquisition."
• Request to skip normal verification or approval steps.
• Vendor bank-detail change communicated only by email.
• "Updated wire instructions" sent late in a real-estate or M&A transaction.
• Email is reply-to a different address than the from address.
• The first attachment is a PDF "invoice" matching the supplier's branding but with new bank details.

1. Pick up the phone. Call the executive or vendor on a known number — not one in the email. Confirm the request voice-to-voice.
2. Use a known-good verification channel. A Slack DM to the executive, a calendar pop-in, a face-to-face check. Anything not the email thread that initiated the request.
3. Implement dual-control on wires. Any wire above a threshold requires two approvers and a callback to the recipient's known phone number.
4. Lock down vendor-master changes. Bank-detail changes require a phone callback to a previously known vendor contact, never the email thread itself.
5. For real-estate closings: call the title company on their published number. Confirm wire instructions in person before sending.
6. Train staff to recognize the BEC patterns. The FBI offers free training materials.

• Call your bank immediately and request a SWIFT recall / hold-harmless letter. Time is critical — wires can sometimes be recalled within hours if you act fast.
• File an IC3 report immediately at ic3.gov. IC3 operates the Recovery Asset Team (RAT), which can place a financial freeze on the receiving account if reported within 72 hours. RAT has recovered billions.
• Notify the FBI (local field office) and your local police.
• Notify your bank's fraud department and ask about your treasury controls.
• Engage incident response. Treat the originating mailbox as compromised; lock it down, review forwarding rules, look for mailbox rules that hide responses.
• Engage your cyber-insurance carrier early. Policies typically require prompt notification.

• Do not trust the email thread as verification — that's the channel the attacker controls.
• Do not "reply to confirm" with the email — the attacker reads replies and pivots.
• Do not wait to report. The recovery window is hours, not days.
• Do not assume the executive's mobile-phone reply (if any) is real if it came from a number that just appeared in the email signature.

• FTC: reportfraud.ftc.gov — the broadest US fraud intake; reports flow to thousands of law-enforcement agencies.
• FBI IC3: ic3.gov — the right destination when the scam is internet-enabled (phishing, BEC, romance, crypto).
• CFPB: consumerfinance.gov/complaint — for complaints about banks, money transmitters, payment apps, credit cards, debt collection.
• IdentityTheft.gov — if any identity information (SSN, driver's license, account credentials) was shared.
• Your bank or payment platform. Call the number on the back of your card or use the app's in-product help. Time matters — wires can sometimes be recalled within hours; ACH and Zelle are harder but worth trying.

The email is genuinely from our CEO's mailbox. How is that possible? Mailbox compromise — usually via phished credentials or token-replay. The attacker may have been quietly reading the executive's mailbox for weeks, learning the company's vendor relationships and writing style, before sending the fraudulent message.

Can we recover the funds? Often yes, if you report fast. IC3's Recovery Asset Team has a documented track record of freezing receiving accounts within hours. Beyond 24–48 hours the funds typically move through layered accounts and become hard to trace.

What about insurance? Most cyber-insurance policies cover BEC, often called "social engineering coverage" or "funds transfer fraud." The coverage limits vary widely. Check your policy and ensure the limit is adequate.

Are deepfake voice / video calls a real risk? Yes — see the deepfake CEO entry. Voice-cloning calls have been used in BEC since 2019; video-call deepfakes in 2024+. Procedure-based verification (callback to a known number, in-person confirmation) defeats them.