Business Email Compromise (BEC) Works Because It Looks Like Work
Keegan Henckel-Miller
Reading time: 6 minutes
If a request fits your workflow, you don’t stop to question it. You act. That’s the condition the best business email compromise (BEC) attacks are built for. It doesn’t require chaos or recklessness.
A revised invoice arrives late in the day. The sender is a vendor the company has worked with for years. You’ve seen these emails more times than you can count. It looks right. The request references an active project and asks for an updated payment destination before an upcoming deadline.
So you move it forward.
That is the moment the attack succeeds. Everything that came before—the research, the profiling, the carefully crafted message—was designed to do one thing: get a legitimate person to take a legitimate action on the attacker’s behalf.
Sometimes that means a fraudulent wire transfer. Sometimes it means exposing credentials, vendor data, tax documents, or internal financial information that attackers can continue exploiting long after the initial request succeeds.
Afterward, it gets treated like an obvious mistake. Someone should have caught it. Someone should have slowed down. But hindsight, as they say, is 20/20.
The cost of BEC
BEC is one of the most costly forms of cybercrime. In 2024 alone, the FBI’s Internet Crime Complaint Center (IC3) recorded more than $2.7 billion in reported losses tied to Business Email Compromise attacks, and more than $55 billion in global exposed losses between October 2013 and December 2023.
How business email compromise actually works
BEC is often framed as an email problem, but the email itself is usually the least sophisticated part of the attack. Before a message is ever sent, attackers gather organizational context:
- vendor relationships
- approval flows
- financial processes
- reporting structures
- communication patterns
They know who handles payments and who approves them, how requests are usually phrased, and when they tend to show up. Most of that doesn’t come from inside the network at all. It comes from exposed context: LinkedIn posts, vendor relationships, org charts, old breach data, executive bios, data broker profiles. The kind of information organizations leak constantly without thinking twice about it.
Proofpoint’s 2024 State of the Phish report found that attackers increasingly rely on highly personalized pretexting and legitimate business context rather than broad, generic phishing campaigns. Mandiant reporting has similarly documented the growing use of impersonation, account compromise, and business workflow familiarity in financially motivated intrusion activity.
In many cases, the attacker is not inventing the workflow from scratch. They are stepping into an existing one. A compromised vendor account might reply directly inside a legitimate invoice thread. A copycat domain might replace a single character in a supplier’s email address. Payment instructions arrive in the same format employees see every day, using cloned signatures, familiar branding, and real project references pulled from previous communications.
The real target of BEC attacks
In most cases, the person receiving that message is not the weakest link. They are the point in the workflow where hesitation is least likely.
And increasingly, they are not “VIPs” in the traditional sense either.
The target is often the person closest to the workflow, not the person highest on the org chart. The people responsible for moving money or approving requests quickly are frequently:
- executive assistants
- finance teams
- payroll administrators
- procurement staff
- HR personnel
- employees
Where traditional defenses break down
This is where most defensive guidance starts to break down.
Security training still tends to focus on identifying red flags like unexpected requests, strange formatting, and unusual language.
Those signals are becoming less reliable.
A few years ago, obvious grammatical errors and awkward phrasing were still reliable warning signs in many phishing attempts. That is changing quickly. AI-assisted tools now make it easier to generate polished, context-aware impersonation at scale.
The old signals people were trained to look for are disappearing.
Verizon’s 2025 Data Breach Investigations Report found that human involvement was present in roughly 60% of breaches. The same report found that AI-assisted malicious emails roughly doubled over two years, from about 5% to 10%.
So the burden shifts to the individual. Slow down. Verify. Double-check everything.
The reality of how people work
People don’t process email like security analysts. They process it in the middle of their work.
They have deadlines. They have expectations around responsiveness. They manage high volumes of communication. They are rewarded for moving quickly and keeping things moving.
Most employees are making trust decisions in seconds, not minutes, particularly when handling familiar workflows under deadline pressure. BEC attacks are designed to exploit momentum, urgency, and routine rather than technical vulnerabilities alone.
How BEC uses your own processes against you
Business email compromise works because it uses the organization’s own processes against it.
Approval chains, communication patterns, and trust relationships become the mechanism for the attack. In many successful cases, attackers never need malware or direct system compromise at all. The business process itself becomes the attack surface.
The more predictable those systems are, the easier they are to map and replicate.
And once an attacker can replicate them, they don’t need to break anything. They just need to step into the flow.
Why prevention matters upstream
Most defenses are still built around containment. Filters, alerts, training prompts, and verification steps still matter, but they focus on the moment the request appears.
By that stage, the attacker may already understand the organization’s vendors, reporting structure, payment cadence, and internal terminology well enough to blend into routine operations.
A more durable way to think about BEC is to focus on what made the request believable in the first place. The amount of organizational context available publicly often determines how convincing the attack can become.
The solution is not awareness alone
Reducing publicly exposed personal and organizational information changes the economics of the attack. When attackers have less visibility into workflows, reporting structures, vendor relationships, and employee roles, convincing impersonation becomes significantly harder to execute.
Most attackers are optimizing for efficiency, not sophistication. When believable impersonation becomes harder, many simply move on to easier targets.
To learn how DeleteMe helps enterprise security teams continuously manage exposed personal data across executives, employees, and high-risk personnel, schedule a conversation with our team.
- Employees, Executives, and Board Members complete a quick signup
- DeleteMe scans for exposed personal information
Opt-out and removal requests begin - Initial privacy report shared and ongoing reporting initiated
- DeleteMe provides continuous privacy protection and service all year
DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.
news?
Is employee personal data creating risk for your business?



