Ask someone to picture a cyberattack and you'll get the movie version: a darkened room, lines of green code, a countdown timer on a ransom screen. It's dramatic, it's cinematic, and it's mostly not where the money goes.
The attack that actually drains the most cash out of businesses looks nothing like that. It looks like a perfectly normal email from a supplier you've worked with for years, letting you know their bank details have changed and asking you to use the new account for this month's invoice. Polite. Routine. Easy to action between two meetings.
And that's exactly why it works.
The $2.77B Reality of Business Email Compromise
In 2024, losses reported to the FBI's Internet Crime Complaint Center hit $16.6 billion, up 33% in a single year. Phishing was the most reported crime of all, with more than 193,000 complaints.
But here's the part that surprises people: the single biggest category of business losses wasn't ransomware. It was business email compromise (BEC for short) at $2.77 billion in a single year. That's more than ransomware and ordinary phishing scams combined. And in a 2025 industry survey, 63% of organizations said they'd faced a BEC attempt in the previous year.
No malware. No exotic exploit. Just a convincing message and someone busy enough to take it at face value.
How Business Email Compromise Actually Works
BEC comes in a few familiar shapes, and none of them require the attacker to be a genius:
- The vendor swap. Someone impersonates a supplier and asks you to update their banking details. The next legitimate invoice gets paid straight into the attacker's account.
- The CEO ask. A message that looks like it's from the boss lands during a busy stretch: "Can you push this payment through today? I'm in meetings, handle it quietly." Urgency plus authority is a powerful combination.
- The hijacked inbox. An employee clicks one phishing link, the attacker quietly logs into the real email account, and then waits. They read the threads, learn the tone, and step into a genuine conversation at the perfect moment. Nothing looks off, because it isn't coming from a fake. It's coming from a real account.
That last one is the dangerous part. Once an inbox is compromised, the attacker often sets up quiet forwarding rules and waits for a real payment conversation to hijack. There's nothing to "catch" because the email is genuinely from your contact.
Stopping BEC: What Works for SMBs
The reassuring news is that the defenses here are cheap, practical, and well within reach of any small team. No enterprise budget required.
Verify money moves out of band
Any request to change bank details or send an unexpected payment gets confirmed through a second channel: a phone call to a number you already had, not the one in the email. This one habit alone stops the majority of BEC losses. Make it a rule, not a judgment call.
Lock down the inbox
Multi-factor authentication on every email account, full stop. Then check periodically for forwarding rules nobody set up. They're a classic sign an account has already been compromised and is quietly leaking copies of everything.
Make slowing down acceptable
These attacks run on urgency. "Do it now, do it quietly" is the whole play. If your team knows that pausing to double-check a payment is encouraged (not seen as being difficult or slow), you've removed the attacker's best weapon.
The Bottom Line on BEC
It's tempting to spend your attention on the scary, headline-grabbing threats. But the attacks quietly winning right now aren't sophisticated; they're just convincing, and aimed at the moment you're too busy to look twice.
The good news is the same: you don't beat them with expensive tools. You beat them with a couple of simple habits, applied consistently, before the email that matters ever lands.
Not sure how exposed your team is to this kind of attack?
Book a 15-minute security check
No sales pitch, no strings. Just a straight look at your risk profile and the one thing worth fixing first.