Threat brief

Anatomy of a business-email fraud

It rarely starts with malware. It starts with an email — and ends with a payment that can't be recalled.

Securidigm · 2026 · ~5 min read

Business-email compromise (BEC) is, dollar for dollar, one of the most damaging scams aimed at small businesses — and it usually involves no hacking tools at all. The attacker doesn't break your systems; they break your process, using nothing more than email and a convincing story. Here's how a typical case unfolds.

How it unfolds

Reconnaissance. The attacker learns who pays the bills, who approves them, who your vendors are, and when money normally moves — often just from your website, LinkedIn, and out-of-office replies.
Foothold or fake. They either phish their way into a real mailbox (yours or a vendor's), or they register a look-alike domain — acme-co.com instead of acmeco.com — that reads correctly at a glance.
The setup. They watch a real conversation, or impersonate an executive or vendor mid-thread, and introduce "updated banking details" or a new, urgent invoice.
The pressure. The request is time-sensitive and discouraged from scrutiny: a deal closing, a late supplier, the boss unreachable and counting on you.
The payment. Your team, doing what looks like their job, sends the funds — to the attacker's account. By the time anyone notices, the money is gone and rarely recoverable.

The genius of BEC is that nothing looks broken. Every step uses your normal tools and your normal trust — which is exactly why a technical defense alone won't stop it.

The controls that actually stop it

Out-of-band callback on every payment change

Any new or changed bank details, and any unusual payment, must be confirmed by calling the requester back on a number you already have on file — never a number or link from the email itself. This one habit defeats most BEC.

Dual authorization for moving money

No single person should be able to send a significant payment alone. A second approver, verifying independently, breaks the scam even when the first person is convinced.

Lock down email

MFA on every mailbox, plus the standard email-authentication records (SPF, DKIM, DMARC) so spoofed senders are harder to land. Flag external email so a look-alike "internal" message stands out.

Make verifying the norm

Train staff that urgency plus secrecy is a red flag, not a reason to hurry — and that pausing to verify a payment is always welcome, never insubordinate.

Bottom line

BEC beats technology by targeting trust. The fix is a process the attacker can't talk their way around: independent callback verification, dual authorization, and a culture where checking is expected.

Pressure-test your payment process

Securidigm builds verification into your payment controls and can run a business-email-fraud tabletop with your team, so the gaps surface in a drill instead of a real transfer.

Request a confidential conversation →

Securidigm provides advisory cybersecurity services and prepares draft documents. It does not provide an audit, a certification, or legal advice. This article is general information, not advice for your situation, and no outcome is guaranteed.