7 Business Email Compromise Scams Every Small Business Should Recognize
Business Email Compromise, often called BEC, is one of the most dangerous cyber threats facing small and mid-sized businesses today.
Unlike traditional phishing emails that may contain obvious spelling mistakes, suspicious attachments, or fake login pages, Business Email Compromise attacks often look like normal business communication. The message may appear to come from your CEO, a trusted vendor, an attorney, a client, a construction project manager, or even a real employee account that has already been compromised.
That is what makes BEC so effective.
The attacker is not always trying to hack your systems with malware. In many cases, the goal is much simpler: convince someone inside your business to send money, change payment instructions, share confidential information, or approve a request that appears legitimate.
For businesses in South Florida and Middle Tennessee, these attacks can affect nearly every industry, including law firms, CPA firms, construction companies, manufacturers, dental offices, nonprofits, hospitality businesses, architecture firms, and small businesses with lean administrative teams.
The good news is that many Business Email Compromise attacks can be prevented when employees know what to look for and businesses put the right cybersecurity controls in place.
This guide explains seven common BEC scams every small business should recognize, the warning signs to watch for, and practical steps that can reduce your risk.
Table of Contents
Business Email Compromise Is Harder to Spot Than Traditional Phishing
Most people have been trained to look for obvious phishing signs: misspelled words, strange links, suspicious attachments, or emails from unknown senders.
Business Email Compromise is different.
- A BEC email may not contain a link.
- It may not include an attachment.
- It may not trigger antivirus software.
- It may come from a real email account.
Instead of relying on malware, Business Email Compromise relies on trust, urgency, timing, and human behavior.
Attackers may research your organization before sending the message. They may look at your website, LinkedIn profiles, employee titles, vendor relationships, public projects, or social media activity. Then they craft an email that feels believable because it fits the way your business already operates.
- A finance employee may receive a vendor payment change request.
- A payroll employee may receive a direct deposit update.
- A project coordinator may receive an invoice from what looks like a subcontractor.
- An office manager may receive a message from what appears to be the company owner.
Because the message looks normal, employees may act before verifying.
That is the danger.
Click to learn more about Business Email Compromise Prevention
What Is Business Email Compromise?
Business Email Compromise is a targeted cyberattack where criminals impersonate a trusted person or organization to trick employees into taking an action that benefits the attacker.
That action may include:
-
- Sending a wire transfer
- Updating vendor banking information
- Changing payroll direct deposit details
- Paying a fake invoice
- Sharing confidential business information
- Sending employee tax records
- Providing login credentials
- Approving a fraudulent purchase
BEC attacks often target people with access to money, payments, sensitive information, or administrative authority.
That may include:
-
- Business owners
- CFOs and controllers
- Accounting teams
- Payroll staff
- HR managers
- Office managers
- Executive assistants
- Project managers
- Legal staff
- Operations leaders
Small and mid-sized businesses are frequent targets because employees often wear multiple hats. The same person may manage invoices, vendor relationships, payroll, and approvals. That makes a well-timed fraudulent request easier to miss.
7 Email Compromise Scams
1. Fake Vendor Banking Change Requests
One of the most common Business Email Compromise scams is the fake vendor banking change request.
In this scam, an attacker impersonates a trusted vendor and sends an email saying their banking information has changed. The message may look routine and professional.
It may say something like:
“Our ACH details have been updated. Please use the attached banking information for all future payments.”
Or:
“Please update our payment instructions before the next invoice is processed.”
If the accounting team updates the vendor record without verifying the change through a trusted channel, future payments may go directly to the attacker.
How This Scam Works
Attackers may use a look-alike domain that is nearly identical to the vendor’s real domain. For example, one letter may be changed, added, or removed.
In more advanced cases, the attacker may compromise a real vendor email account and send the banking change request from the actual mailbox. This is much harder to detect because the request appears to come from the right person.
Some attackers also monitor real email conversations and wait until a payment is expected. Then they insert updated payment instructions at exactly the right time.
Why Accounting Teams Are Often Targeted
Accounting teams are a prime target because they regularly process invoices and payment changes.
Attackers know that vendor banking changes happen in real business. They also know that busy accounting teams may rely heavily on email, especially when working with multiple vendors, projects, or locations.
Businesses in construction, manufacturing, hospitality, law, accounting, and professional services should be especially cautious because they often process recurring vendor payments and project-related invoices.
Warning Signs to Watch For
Treat these as stop signs:
-
- New banking instructions sent only by email
- Urgent requests to update payment details
- Slight changes in vendor email domains
- Requests that discourage phone verification
- New payment instructions right before a large payment
- Vendor contacts who suddenly change tone or writing style
How to Reduce the Risk
Businesses should never update vendor banking information based only on an email.
Use a known phone number already on file, not the phone number included in the email. Confirm the change verbally with an authorized contact.
It is also helpful to require dual approval for vendor banking changes, especially for vendors that receive large or recurring payments.
Click to learn more about our:
2. Executive Wire Transfer Requests
Executive impersonation is another common Business Email Compromise scam.
In this attack, a criminal pretends to be the business owner, CEO, president, managing partner, or another senior leader. The email usually asks an employee to send money quickly.
It may say:
“I need you to process a wire today.”
Or:
“I’m in a meeting and can’t talk. Please handle this immediately.”
Or:
“This is confidential. Do not discuss it with anyone yet.”
The attacker uses authority and urgency to pressure the employee into acting before verifying.
How Attackers Impersonate Executives
Attackers may spoof an executive’s email address, use a look-alike domain, or compromise a real account.
They may also study the executive’s communication style. If the owner commonly sends short, direct emails, the fake message may be written the same way.
The more normal the email feels, the more dangerous it becomes.
Why Urgency Makes These Emails Effective
Urgency is one of the most powerful tools in social engineering.
When employees believe the request is coming from leadership, they may feel pressure to respond quickly. They may also hesitate to question the request because they do not want to appear difficult or slow.
Attackers take advantage of that hesitation.
Warning Signs to Watch For
Be cautious when an email includes:
-
- “I’m in a meeting and can’t talk”
- “This needs to be handled immediately”
- “Keep this confidential”
- “Do not call me”
- “Use this new account”
- “I need this done before end of day”
- An unusual payment amount or destination
How to Reduce the Risk
Every business should have a written payment approval process that cannot be bypassed by email.
Wire transfers and large payments should require verification through a trusted phone number, internal approval workflow, or a documented process that employees understand.
Employees should also be trained to recognize that questioning a suspicious payment request is not being difficult. It is protecting the business.
Click to learn more about our Security Assessment & Training
3. Payroll Direct Deposit Scams
Payroll diversion scams target employees responsible for payroll or HR.
In this scam, an attacker impersonates an employee and asks payroll to update direct deposit information. The request may appear simple and routine.
It may say:
“Can you update my direct deposit before the next payroll?”
Or:
“I changed banks. Please use the attached information going forward.”
If payroll updates the account without verification, the employee’s paycheck may be sent to the attacker.
How Payroll Diversion Works
Attackers may use personal email accounts, look-alike domains, or compromised business accounts.
They often time the request close to payday so payroll staff feel pressure to make the change quickly.
Some attacks target multiple employees at once. Others focus on one employee whose name, title, and email address are easy to find online.
Why HR and Payroll Teams Are Targeted
HR and payroll teams handle sensitive employee information and payment details. That makes them attractive targets.
Payroll scams can also create employee trust issues. Even if the company recovers quickly, the affected employee may be upset, delayed in receiving pay, or concerned about the security of personal information.
Warning Signs to Watch For
Common red flags include:
-
- A direct deposit change request sent by email only
- A request coming from a personal email address
- An employee saying they are unavailable by phone
- Multiple payroll changes close to payday
- Unusual urgency
- A message that does not sound like the employee
How to Reduce the Risk
Payroll changes should never be completed based only on email.
Require direct verification with the employee through a known phone number, secure HR portal, or approved internal process. Employees should also know that payroll changes may require additional verification for their protection.
For businesses using cloud-based payroll systems, Multi-Factor Authentication should be required for administrative access.
Click to learn more about our Managed IT Services
4. Fake Invoice and Payment Scams
Fake invoice scams are especially dangerous because they often blend into normal business operations.
The invoice may look professional. It may reference a real project, service, vendor, or department. It may even include accurate details stolen from a previous email thread or compromised mailbox.
The goal is to get the business to pay an invoice that appears legitimate but sends money to the attacker.
How Fake Invoice Scams Slip Through
Attackers may create invoices that closely resemble real vendor invoices. They may copy logos, layouts, signatures, and payment instructions.
In some cases, the attacker compromises a vendor or employee mailbox and uses real invoice history to make the request more convincing.
A fake invoice is much harder to catch when it arrives during a busy season, near a project deadline, or when the amount looks consistent with previous payments.
Why These Attacks Often Use Real Vendor Details
Attackers know that accuracy builds trust.
A fake invoice that includes the correct project name, vendor name, purchase order, or prior conversation may appear legitimate enough to approve.
That is why invoice approval should include more than simply checking whether the invoice looks familiar.
Warning Signs to Watch For
Review invoices carefully when you see:
-
- Slightly different invoice layout
- New payment instructions
- Unexpected balance due
- Unusual sense of urgency
- Payment request from a new contact
- A vendor asking to bypass normal procedures
- Attachments that were not expected
- A reply-to address that differs from the sender address
How to Reduce the Risk
Use a consistent invoice approval process.
Confirm new vendors, payment changes, and unusual invoices through known contact information. Keep vendor records current and limit who can change payment information.
Accounting teams should be encouraged to pause and verify instead of rushing to clear invoices quickly.
Click to learn more about our Backup & Disaster Recovery
5. Microsoft 365 Account Takeover
Microsoft 365 account takeover is one of the most dangerous forms of Business Email Compromise because the attacker uses a real account.
Instead of pretending to be someone, the attacker becomes that person from the recipient’s point of view.
They may log into the mailbox, read conversations, create forwarding rules, delete alerts, and send emails from the legitimate account.
Why Compromised Accounts Are So Dangerous
When an email comes from a real account, employees and vendors are more likely to trust it.
The attacker may also have access to old email threads, invoices, customer conversations, and internal discussions. This allows them to craft messages that feel natural and timely.
For example, an attacker may find an email thread about an upcoming payment and then send updated wiring instructions from the compromised account.
How Attackers Use Real Email Threads
Attackers may sit quietly inside a mailbox for days or weeks.
They may watch for:
-
- Payment conversations
- Vendor invoices
- Payroll discussions
- Closing documents
- Legal matters
- Project deadlines
- Customer payments
Then they act when the timing is right.
Warning Signs to Watch For
Possible signs of Microsoft 365 compromise include:
-
- Suspicious sign-ins
- Unusual mailbox forwarding rules
- Employees reporting missing emails
- Messages sent from a real account that feel “off”
- MFA prompts the user did not initiate
- Login alerts from unfamiliar locations
- Email rules that automatically delete or hide messages
How to Reduce the Risk
Businesses should secure Microsoft 365 with layered controls, including MFA, strong access policies, monitoring, email security, and user training.
Mailbox rules and suspicious login activity should be reviewed when compromise is suspected.
Microsoft 365 data should also be backed up separately so email, OneDrive, SharePoint, and Teams data can be recovered if needed.
Click to learn more about our:
6. Attorney, Real Estate, or Closing Wire Fraud
High-value transactions are attractive targets for Business Email Compromise.
Law firms, real estate professionals, title companies, construction firms, and professional services organizations often exchange sensitive documents and payment instructions by email. Attackers know this.
In these scams, criminals insert themselves into conversations involving closings, settlements, retainers, deposits, or project payments.
How Attackers Insert Themselves Into High-Value Transactions
An attacker may compromise one party’s email account and monitor conversations. When a wire transfer or payment is expected, they send fraudulent instructions that appear legitimate.
The victim may believe they are wiring funds to a law firm, title company, vendor, client, or business partner. In reality, the funds are sent to an account controlled by the attacker.
Why Professional Services Are Targeted
Professional services firms often handle confidential information and financial transactions. Law firms, accounting firms, and construction-related businesses may be especially exposed because their work often involves deadlines, approvals, retainers, invoices, and payments.
The more parties involved in a transaction, the easier it may be for an attacker to create confusion.
Warning Signs to Watch For
Be cautious with:
-
- Last-minute wire instruction changes
- Last-minute wire to act before closing or deadline
- Refusal to verify using known contact details
- Email domains that look nearly identical
- Payment instructions sent only by email
- Requests that change normal process
- Language that discourages calling
How to Reduce the Risk
High-value transactions should always include out-of-band verification.
That means verifying payment instructions using a known phone number or trusted process outside the email thread.
Law firms and professional services firms should also consider written wire verification procedures and staff training specific to BEC and email fraud.
Click to learn more about our IT Services for Law Firms
7. Gift Card and Urgent Purchase Scams
Gift card scams may seem simple, but they still work.
In this attack, a criminal impersonates an executive, manager, or owner and asks an employee to buy gift cards quickly.
The email may say:
“I need you to pick up gift cards for clients.”
Or:
“Can you purchase these today and send me the codes?”
The amounts may be smaller than wire fraud, but the scam can still cost the business money and create embarrassment for the employee who was tricked.
Why These Scams Still Work
Gift card scams rely on authority, urgency, and social pressure.
Employees may not want to question a request from a manager or owner. The attacker may also choose an employee who is helpful, new, or not used to receiving direct requests from leadership.
How Attackers Use Authority and Pressure
Attackers often make the request feel urgent and private.
They may say:
-
- “I need this handled right away.”
- “Do not call me. I am in a meeting.”
- “Send me the card numbers as soon as you buy them.”
- “This is for a client appreciation gift.”
The goal is to prevent the employee from slowing down and verifying.
Warning Signs to Watch For
Common warning signs include:
-
- Request comes from an executive or manager
- Employee is asked to buy gift cards quickly
- Request asks for card numbers by email or text
- Message discourages normal approval procedures
- Request comes from an unfamiliar number or email
- The purchase does not match normal business activity
How to Reduce the Risk
Employees should know that gift card purchases, unusual purchases, and urgent payment requests require verification.
Businesses should also create clear rules for approvals so employees never feel pressured to make financial decisions based only on email or text messages.
Business Email Compromise Risks by Industry
Business Email Compromise can affect any business, but the risk often looks different depending on the industry.
Law Firms
Law firms may be targeted because they handle confidential client information, retainers, settlement funds, wire instructions, and sensitive case-related communication.
Attackers may impersonate clients, opposing counsel, vendors, or internal staff.
Click to learn more about our IT Services for Law Firms
CPA and Accounting Firms
CPA and accounting firms may be targeted because they handle payroll, tax documents, client financial data, and sensitive business information.
Attackers may attempt payroll diversion, fake document requests, invoice fraud, or client impersonation.
Click to learn more about our IT Services for CPA and Accounting Firms
Construction and Engineering Firms
Construction and engineering firms often work with subcontractors, vendors, project managers, architects, and clients. That creates many opportunities for fake invoice scams and payment change fraud.
Project-based work also creates urgency, which attackers can exploit.
Click to learn more about our IT Services for Construction & Engineering Firms
Dental Offices
Dental offices may be targeted through vendor invoices, insurance-related communication, patient data requests, or compromised email accounts.
Because dental practices are often busy and patient-focused, administrative staff may be pressured to act quickly.
Click to learn more about our IT Support for Dental Offices
Nonprofit Organizations
Nonprofits may face donation fraud, board member impersonation, payment request scams, and fake vendor invoices.
Attackers may impersonate executives, donors, vendors, or board members to create urgency.
Learn more about our IT Services for Nonprofit Organizations
Hospitality Businesses
Hospitality businesses may process vendor payments, reservation details, guest information, point-of-sale communication, and recurring invoices.
Attackers may exploit fast-moving operations where staff members need to respond quickly.
Click to learn more about our IT Services for Hospitality Businesses
Small Businesses
Small businesses are frequent targets because one person may manage many responsibilities.
An office manager may handle invoices, payroll, vendors, software subscriptions, employee onboarding, and customer communication. That creates opportunities for attackers to use pressure and timing.
Click to learn more about our Managed IT Services for Small Businesses
Warning Signs Your Team Should Treat as Stop Signs
Business Email Compromise attacks vary, but many share common warning signs.
Employees should pause when they see:
-
- Payment instructions changed by email
- Requests that bypass normal approval procedures
- Urgency, secrecy, or pressure
- Slight changes in email domains
- Requests from executives that feel unusual
- Email threads that suddenly change tone
- Requests to avoid phone calls
- New banking details from a vendor
- Unusual login alerts
- MFA prompts the user did not initiate
A good rule is simple:
When money, credentials, banking information, or sensitive data are involved, verify using a trusted method outside the email.
How to Reduce the Risk of Business Email Compromise
Reducing BEC risk requires a combination of technology, employee awareness, and business process controls. No single tool can stop every Business Email Compromise attack.
Require Multi-Factor Authentication
MFA makes it harder for attackers to access email accounts using stolen passwords.
It should be required for Microsoft 365, remote access, administrator accounts, and other critical systems.
Secure Microsoft 365
Microsoft 365 should be configured and monitored carefully.
Important areas include MFA, administrator access, suspicious sign-in alerts, mailbox forwarding rules, email security policies, and user account reviews.
Verify Payment Changes by Phone
Vendor banking changes, wire instructions, payroll updates, and unusual payments should be verified using known contact information.
Do not rely on phone numbers or contact details included in the suspicious email.
Train Employees Regularly
Employees should receive ongoing security awareness training that covers phishing, Business Email Compromise, wire fraud, payroll scams, and social engineering.
Training should be practical, not overly technical.
Monitor Suspicious Logins and Email Rules
Suspicious logins, impossible travel alerts, unusual forwarding rules, and mailbox changes can be signs of compromise.
These should be reviewed quickly.
Back Up Microsoft 365 Data
Microsoft 365 data should be protected with a separate backup strategy. This helps with recovery if email, OneDrive, SharePoint, or Teams data is deleted, compromised, or lost.
Review Admin Accounts and User Access
Administrator accounts should be limited, protected with MFA, and reviewed regularly.
Former employee accounts should be disabled promptly.
Click to learn more about our:
What to Do If You Suspect a Business Email Compromise Attack
If you suspect a BEC attack, act quickly.
Do Not Reply to the Suspicious Email
Do not continue the conversation in the same email thread. If an attacker is monitoring the mailbox, they may see your response.
Call the Sender Using a Known Phone Number
Verify the request using contact information already on file.
Do not use the number provided in the suspicious email.
Contact Your IT Provider Immediately
If an email account may be compromised, your IT provider should review sign-ins, mailbox rules, forwarding settings, and account security.
Secure Compromised Accounts
This may include password resets, MFA review, session revocation, mailbox rule removal, and account monitoring.
Contact Your Bank if Money Was Sent
If funds were transferred, contact your bank immediately. Time matters.
Preserve Evidence
Keep copies of emails, headers, payment details, timestamps, and related communication. This may help with investigation, bank response, insurance conversations, or legal review.
How Network Computer Pros Helps Businesses Reduce BEC Risk
Network Computer Pros helps businesses reduce Business Email Compromise risk through layered cybersecurity, managed IT services, Microsoft 365 security review, backup and disaster recovery planning, and employee security awareness training.
Our approach is vendor-neutral and focused on practical risk reduction.
We help businesses review areas such as:
-
- Microsoft 365 security
- Multi-Factor Authentication
- Email protection
- User access
- Administrator accounts
- Backup readiness
- Employee awareness training
- Business Email Compromise controls
- Remote access security
- Suspicious login activity
- Help desk escalation procedures
The goal is not to make cybersecurity overly complicated. The goal is to reduce the chances that one suspicious email turns into a financial loss, data exposure, or operational disruption.
Network Computer Pros supports businesses across both South Florida and Middle Tennessee.
In South Florida, we support businesses throughout:
In Middle Tennessee, we support businesses throughout:
For businesses with multiple offices, remote employees, or growing teams, consistent security controls are especially important.
Click to learn more about our:
Not Sure Your Team Would Catch These Email Scams?
Business Email Compromise is effective because it looks familiar.
It often appears as a normal invoice, a normal vendor request, a normal payroll update, or a normal message from leadership.
That is why prevention requires more than one tool.
It requires secure systems, trained employees, clear verification procedures, monitored accounts, and reliable backup and recovery planning.
A Cybersecurity Assessment can help identify practical gaps in your current environment before a suspicious email turns into a financial loss.
For businesses in South Florida and Middle Tennessee, Network Computer Pros can help review email security, Microsoft 365 settings, employee awareness, backup readiness, and Business Email Compromise controls.
If you are not sure your team would recognize these scams before acting on them, it may be worth taking a closer look.
Frequently Asked Questions About Business Email Compromise Scams
What is a Business Email Compromise scam?
A Business Email Compromise scam is a targeted email-based attack where criminals impersonate a trusted person or organization to trick employees into sending money, changing payment information, sharing sensitive data, or granting access to business systems.
How is Business Email Compromise different from phishing?
Traditional phishing often uses fake login pages, malicious links, or suspicious attachments. Business Email Compromise may not include any of those. BEC attacks often look like normal business emails and rely on trust, urgency, and impersonation.
Why are small businesses targeted by BEC attacks?
Small businesses are targeted because attackers assume they may have fewer security controls, smaller administrative teams, and less formal approval processes. Employees at small businesses often manage multiple responsibilities, which can make fraudulent requests harder to catch.
Can Multi-Factor Authentication stop Business Email Compromise?
Multi-Factor Authentication can significantly reduce the risk of account compromise, but it does not stop every type of BEC attack. Businesses also need employee training, email security, payment verification procedures, Microsoft 365 monitoring, and strong internal processes.
What is the most common Business Email Compromise scam?
Fake vendor banking change requests are among the most common and financially damaging BEC scams. These attacks trick businesses into sending legitimate payments to fraudulent accounts.
How can employees recognize fake vendor payment requests?
Employees should look for sudden banking changes, urgency, new contacts, slightly different email domains, refusal to verify by phone, and changes in writing style. Any payment change should be verified using known contact information.
What should we do if a Microsoft 365 account is compromised?
Contact your IT provider immediately. The account should be secured, active sessions reviewed, passwords reset, MFA settings checked, mailbox rules inspected, forwarding disabled if suspicious, and related activity investigated.
Can Business Email Compromise affect law firms, CPA firms, and construction companies?
Yes. Law firms, CPA firms, construction companies, and other professional service businesses are common targets because they often handle payments, invoices, contracts, financial records, and sensitive client information.
Does cyber insurance cover Business Email Compromise?
Coverage depends on the policy. Businesses should review cyber insurance coverage, exclusions, and claim requirements with their insurance broker, legal counsel, or another qualified advisor. Network Computer Pros does not sell insurance or interpret policy language.
How can Network Computer Pros help reduce BEC risk?
Network Computer Pros helps businesses review email security, Microsoft 365 configuration, MFA, employee awareness training, backup readiness, administrator access, and other cybersecurity controls that can reduce Business Email Compromise risk.
