Skip to main content

Business Email Compromise (BEC) Works Because It Looks Like Work

Business Email Compromise (BEC) Works Because It Looks Like Work

Keegan Henckel-Miller

July 9, 2026

Reading time: 6 minutes

Cybercriminal puppeteering executive through business email compromise

If a request fits your workflow, you don’t stop to question it. You act. That’s the condition the best business email compromise (BEC) attacks are built for. It doesn’t require chaos or recklessness.

A revised invoice arrives late in the day. The sender is a vendor the company has worked with for years. You’ve seen these emails more times than you can count. It looks right. The request references an active project and asks for an updated payment destination before an upcoming deadline.

So you move it forward.

That is the moment the attack succeeds. Everything that came before—the research, the profiling, the carefully crafted message—was designed to do one thing: get a legitimate person to take a legitimate action on the attacker’s behalf.

Sometimes that means a fraudulent wire transfer. Sometimes it means exposing credentials, vendor data, tax documents, or internal financial information that attackers can continue exploiting long after the initial request succeeds.

Afterward, it gets treated like an obvious mistake. Someone should have caught it. Someone should have slowed down. But hindsight, as they say, is 20/20.

The cost of BEC

BEC is one of the most costly forms of cybercrime. In 2024 alone, the FBI’s Internet Crime Complaint Center (IC3) recorded more than $2.7 billion in reported losses tied to Business Email Compromise attacks, and more than $55 billion in global exposed losses between October 2013 and December 2023.

How business email compromise actually works

BEC is often framed as an email problem, but the email itself is usually the least sophisticated part of the attack. Before a message is ever sent, attackers gather organizational context: 

  • vendor relationships
  • approval flows
  • financial processes
  • reporting structures
  • communication patterns

They know who handles payments and who approves them, how requests are usually phrased, and when they tend to show up. Most of that doesn’t come from inside the network at all. It comes from exposed context: LinkedIn posts, vendor relationships, org charts, old breach data, executive bios, data broker profiles. The kind of information organizations leak constantly without thinking twice about it.

Proofpoint’s 2024 State of the Phish report found that attackers increasingly rely on highly personalized pretexting and legitimate business context rather than broad, generic phishing campaigns. Mandiant reporting has similarly documented the growing use of impersonation, account compromise, and business workflow familiarity in financially motivated intrusion activity.

In many cases, the attacker is not inventing the workflow from scratch. They are stepping into an existing one. A compromised vendor account might reply directly inside a legitimate invoice thread. A copycat domain might replace a single character in a supplier’s email address. Payment instructions arrive in the same format employees see every day, using cloned signatures, familiar branding, and real project references pulled from previous communications.

The real target of BEC attacks

In most cases, the person receiving that message is not the weakest link. They are the point in the workflow where hesitation is least likely.

And increasingly, they are not “VIPs” in the traditional sense either.

The target is often the person closest to the workflow, not the person highest on the org chart. The people responsible for moving money or approving requests quickly are frequently:

  • executive assistants
  • finance teams
  • payroll administrators
  • procurement staff
  • HR personnel
  • employees

Where traditional defenses break down

This is where most defensive guidance starts to break down.

Security training still tends to focus on identifying red flags like unexpected requests, strange formatting, and unusual language.

Those signals are becoming less reliable.

A few years ago, obvious grammatical errors and awkward phrasing were still reliable warning signs in many phishing attempts. That is changing quickly. AI-assisted tools now make it easier to generate polished, context-aware impersonation at scale.

The old signals people were trained to look for are disappearing.

Verizon’s 2025 Data Breach Investigations Report found that human involvement was present in roughly 60% of breaches. The same report found that AI-assisted malicious emails roughly doubled over two years, from about 5% to 10%.

So the burden shifts to the individual. Slow down. Verify. Double-check everything.

The reality of how people work

People don’t process email like security analysts. They process it in the middle of their work.

They have deadlines. They have expectations around responsiveness. They manage high volumes of communication. They are rewarded for moving quickly and keeping things moving.

Most employees are making trust decisions in seconds, not minutes, particularly when handling familiar workflows under deadline pressure. BEC attacks are designed to exploit momentum, urgency, and routine rather than technical vulnerabilities alone.

How BEC uses your own processes against you

Business email compromise works because it uses the organization’s own processes against it.

Approval chains, communication patterns, and trust relationships become the mechanism for the attack. In many successful cases, attackers never need malware or direct system compromise at all. The business process itself becomes the attack surface.

The more predictable those systems are, the easier they are to map and replicate.

And once an attacker can replicate them, they don’t need to break anything. They just need to step into the flow.

Why prevention matters upstream

Most defenses are still built around containment. Filters, alerts, training prompts, and verification steps still matter, but they focus on the moment the request appears. 

By that stage, the attacker may already understand the organization’s vendors, reporting structure, payment cadence, and internal terminology well enough to blend into routine operations.

A more durable way to think about BEC is to focus on what made the request believable in the first place. The amount of organizational context available publicly often determines how convincing the attack can become.

The solution is not awareness alone

Reducing publicly exposed personal and organizational information changes the economics of the attack. When attackers have less visibility into workflows, reporting structures, vendor relationships, and employee roles, convincing impersonation becomes significantly harder to execute.

Most attackers are optimizing for efficiency, not sophistication. When believable impersonation becomes harder, many simply move on to easier targets.

To learn how DeleteMe helps enterprise security teams continuously manage exposed personal data across executives, employees, and high-risk personnel, schedule a conversation with our team.

SHARE THIS ARTICLE
How does DeleteMe privacy protection work?
  1. Employees, Executives, and Board Members complete a quick signup
  2. DeleteMe scans for exposed personal information
    Opt-out and removal requests begin
  3. Initial privacy report shared and ongoing reporting initiated
  4. DeleteMe provides continuous privacy protection and service all year
Your employees’ personal data is on the web for the taking.

DeleteMe is built for organizations that want to decrease their risk from vulnerabilities ranging from executive threats to cybersecurity risks.

Want more privacy
news?
Join Incognito, our monthly newsletter from DeleteMe that keeps you posted on all things privacy and security.
Icon - bolt concept

Is employee personal data creating risk for your business?

DeleteMe provides business solutions for the enterprise, public orgs and public interest groups.

Is employee personal data creating risk for your business?

DeleteMe provides business solutions for the enterprise, public orgs and public interest groups.

Related Posts

10 Ways to Reboot Your Privacy at Work

When personal data is out there on the open web it can lead to privacy and security incidents at work that open you—and your company—up to risk. For…
DeleteMe
October 3, 2022

2022 Cybersecurity Excellence Award: Our Journey & Future

We are excited to announce that DeleteMe was recognized (twice!) with 2022 Cybersecurity Excellence Awards, an annual competition honoring indiv…
DeleteMe
February 10, 2022

The Time is Now to Limit Russian Hacker Access to Publicly Available PII

Although the launch of ContiLeaks and the information revealed there didn’t slow the Russian Hacker gang down, it did provide everyone here at…
Will Simonds
March 10, 2022