EmailAudit.io
All articles
Email Security6 min read

What Is Business Email Compromise (BEC)? How SMBs Get Targeted and How to Stop It

Business Email Compromise costs SMBs an average of $137,000 per incident. Here's how BEC attacks work, why small businesses are targeted, and what stops them.

Business Email Compromise costs small and mid-sized businesses an average of $137,000 per incident. It's the fastest-growing category of cybercrime targeting businesses — not because it uses sophisticated technology, but because it exploits a gap in email infrastructure that most businesses don't know exists.

This guide explains what BEC is, how attacks work, why SMBs are disproportionately targeted, and the specific technical steps that stop the most common attack vectors.

What Business Email Compromise Is

Business Email Compromise is a category of email fraud where attackers impersonate a trusted person — a CEO, a supplier, a finance department colleague — to manipulate an employee into taking a harmful action. That action is usually:

  • Authorising a wire transfer to a fraudulent bank account
  • Changing payment details for a supplier
  • Providing payroll information or W-2 data
  • Granting access to systems or credentials

What makes BEC different from generic phishing is its precision. BEC attacks are targeted, researched, and often highly convincing. They don't rely on malware or malicious links. They rely on the recipient believing the email is from someone they trust.

The Two Main Attack Methods

1. Domain Spoofing

The attacker sends an email that appears to come from your domain — ceo@yourcompany.com, for example — without having any access to your systems.

This is possible when a domain doesn't have DMARC enforcement in place. With no p=quarantine or p=reject DMARC policy, receiving mail servers accept emails from your domain regardless of whether they were actually sent by your servers.

A spoofed domain attack can be executed in minutes. The attacker needs only your domain name and the knowledge that your DMARC policy is p=none (or missing entirely). Both are publicly discoverable.

2. Account Compromise

The attacker gains access to a real email account — often through phishing, credential stuffing, or a breached password — and sends fraudulent emails from the legitimate inbox.

This is harder to prevent with authentication alone. The email is genuinely coming from the real account, so authentication passes. Prevention here relies on strong account security: MFA, unusual login alerts, and strong passwords.

A Realistic Spoofing Scenario

Here's how a domain spoofing BEC attack unfolds in practice:

  1. An attacker checks your domain's DMARC record. It shows p=none — or no record at all. This takes 30 seconds.
  2. The attacker emails your accounts payable contact from a spoofed finance@yourcompany.com address, referencing a real supplier relationship they found on LinkedIn.
  3. The email instructs your AP contact to update bank details for an upcoming payment. It looks exactly like an internal email — your domain, your format.
  4. Your AP contact updates the details. The next payment — $28,000 — goes to the attacker's account.
  5. You discover the fraud when the real supplier calls about a missed payment.

Wire transfers are rarely recoverable. The loss is typically permanent.

This specific attack is preventable with a single DNS record change: moving your DMARC policy from p=none to p=reject. With DMARC enforced, step 3 never happens — the spoofed email is rejected by the receiving server before it reaches your AP contact's inbox.

Why SMBs Are Primary Targets

Large enterprises have dedicated security teams, email security platforms (Proofpoint, Mimecast), and internal controls that make BEC attacks harder to execute. SMBs typically don't.

The factors that make SMBs attractive targets:

Less IT oversight. Email authentication is often configured once (or not at all) and never reviewed. DMARC policies stay at p=none indefinitely.

Faster, less formal decision-making. Payment approvals at SMBs often involve fewer people and less verification. A convincing email from the "CEO" has a higher success rate when there's no multi-person approval process.

Lower security awareness. Employees at smaller companies are less likely to have received training on BEC attack patterns or verification procedures.

Discoverable relationships. LinkedIn and company websites make it easy for attackers to identify who handles payments, who the key suppliers are, and what the company's email format looks like.

The FBI reports that 94% of cyberattacks start with email. BEC is one of the most financially damaging categories within that statistic.

How Authentication Stops Domain Spoofing

SPF, DKIM, and DMARC are the technical controls that prevent domain spoofing attacks.

  • SPF restricts which servers can send email from your domain
  • DKIM proves that outgoing emails were signed by your mail server
  • DMARC at p=reject tells receiving servers to block any email from your domain that doesn't pass both checks

With DMARC at p=reject, the spoofed invoice email in the scenario above is blocked at the receiving server — before it ever reaches anyone's inbox. The attack fails at the first step.

Without DMARC enforcement (or with p=none), receiving servers see a suspicious email and often deliver it anyway, because they have no policy from you telling them what to do with failures.

The DMARC policy guide explains how to move from monitoring (p=none) to full enforcement (p=reject) safely, without disrupting your legitimate email.

Beyond Authentication: Additional Protections

Authentication stops domain spoofing. It doesn't stop account compromise attacks, where the email comes from a real inbox. Additional controls for BEC prevention:

Multi-factor authentication on all email accounts. MFA prevents credential-based account takeover even when passwords are breached. Enable it for every account in your organisation — not just executives.

Verbal verification for payment changes. Any request to change payment details or authorise a wire transfer should require a phone confirmation to a known number before being processed. This stops account compromise BEC even when the email is legitimate.

Invoice verification policy. A written policy requiring secondary verification for transfers above a threshold (e.g., $5,000) adds a human check that technology can't bypass.

Unusual login alerts. Configure your email platform to alert on logins from new locations or devices. Catch account compromise early.

How to Check Your Current Exposure

Checking whether your domain can currently be spoofed takes 30 seconds. A free Security Score check shows your DMARC policy status — including whether you're at p=none (monitoring only, no protection) or enforced.

If your policy is p=none or missing, your domain can be spoofed today.

For a full picture of the financial consequences of a spoofing incident, see the real cost of email spoofing.

To check whether your domain or IP has already been affected by an incident, check your email blacklist status.

Run your free Security Score check — find out if your domain can be spoofed right now at EmailAudit.io

The Security Score check shows your DMARC policy, SPF status, and overall authentication grade in seconds. No account required.

Is your domain protected?

Run a free Full Audit — check SPF, DKIM, DMARC, blacklists, and MTA-STS in seconds. Get a branded PDF report delivered to your inbox. No account required.

Check Your Domain FreeGet Free PDF Report

Related articles

Email Security6m

MXToolbox Alternatives: 5 Free Email Security Checkers Compared

Read
Email Security6m

The Real Cost of Email Spoofing: What Happens When Your Domain Is Impersonated

Read