Protect Against Business Email Compromise in 2025

If you run a business, manage a team, or sign off on invoices, there’s a $6.7 billion reason you should read every word of this post: It’s how much businesses lost to business email compromise (BEC) attacks last year.  

Imagine this: You’ve worked hard for every dollar, customer, and glowing Google review. But in a split second – that one email that looks legitimate – could result in drained accounts, disrupted cash flow, and a damaged brand. 

Business email compromise (a type of social engineering attack) rose 60% between January and February 2025.  

The good news? There are easy, practical steps you can take right now to protect everything you’ve built – before your business becomes the next statistic. 

The red flags that should get you to drop everything and double-check 

You’ve told your staff to “watch out for suspicious emails.” But here’s the dirty secret: BEC email scams can look quite innocent.  

First, hackers use AI to mimic the writing styles of known colleagues and employ psychological triggers like urgency or authority to disrupt your critical thinking process. 

They then execute attacks when your guard is down – like on a Friday afternoon, after a project milestone, or during end-of-quarter rushes.  

They know you’re more likely to be distracted and fall back on Type 1 (fast, automatic, and emotion-based) thinking – and thus, grant their request for sensitive info and money transfers. 

So, spotting an attack is all about knowing what the red flags are. The following subject lines are the bait scammers use to hook your attention. 

Trigger Type	Example subject lines
Authority	From the CFO’s desk: Complete this transfer without delay Directive from the CEO: Immediate action required Executive request: Vendor payment instructions
Urgency	TIME SENSITIVE: Immediate wire transfer required Invoice OVERDUE: Response needed ASAP ACTION NEEDED: Payment deadline TODAY
Scarcity	This is confidential – don't loop in anyone else Only a few slots left: Confirm payment today Limited opportunity: Secure your order now
Cordiality	Quick favor please: Can you process this payment for me? Hey [your name]: Got a second for this payment? Hope you’re well: Appreciate your support for this urgent transaction
Collaborative	Team effort needed: Vendor payment coordination Let’s keep things moving: Can you finalize this payment update? Following up on our recent discussion: Need your input on the new vendor setup

Beyond subject lines, there are other signs of business email compromise to watch for: 

• Spoofing via lookalike domains: Attackers hope you’ll miss slight misspellings of real brand names like @goggle.com instead of @google.com. 

• Mismatched sender names and URLs: The display name looks familiar, but the actual email address is off or uses a public domain like Gmail or Yahoo. For example, the email says it’s from IT, but the address is it.support2025@gmail.com. 

• Weird account behavior: Messages sent at odd hours (like at 2AM) or from unexpected locations should raise your suspicions. 

• Hijacked email threads: You’re in the middle of a discussion about a new vendor, and someone jumps in with new payment instructions. 

• Inconsistent communication style: If your CFO usually writes like a Harvard grad, be wary when you get emails with informal phrasing like “ASAP” instead of “as soon as possible” or “plz” instead of “please.”  

• Hidden executable files: So, you’re on the lookout for fake money transfer requests. Instead, the attackers send a ZIP file with a malicious executable (.exe). What’s more, they rename the executable so you’re none the wiser. So, what happens when you open the ZIP and run the malicious EXE? You could end up installing a RAT (remote access trojans) with keylogging capabilities, giving the attackers remote control of your device and the ability to record every keystroke you make. 

Business email compromise detection: What you should know 

When an attack happens, who pays for the loss?  

Below, we reveal why you could end up paying (even if you’re the victim), the red flags you can’t afford to miss, and how scammers are getting past your defenses. 

Business email compromise (BEC): Who is liable? 

First, let’s look at some business email compromise statistics: 

• BEC scams have been reported in all 50 states and 186 countries. 

• BEC-related fund transfers have been traced to financial institutions in over 140 countries. 

• Nearly 30% of insurance claims involved BEC funds transfer fraud – and only about 25% of claims see any meaningful recovery. 

• Meanwhile, 14% of BEC scam victims recovered none of their financial losses. 

• Organizations with >1,000 employees have a 70% weekly probability of experiencing at least one BEC attack. 

• The average BEC wire transfer request was $24,586 in early 2025. 

So, if one of your employees accidentally pays a fraudulent invoice, will your business be on the hook for the real invoice (thus paying twice)? 

The answer is an unsettling “maybe.” 

You see, courts and insurers will determine whether your business exercised “reasonable care” in verifying payment instructions (such as confirming changes through a trusted, out-of-band method). If that wasn’t done, you’re likely on the hook for every penny. 

Some courts may apply “comparative fault,” apportioning liability based on each party’s negligence. For example, if both the sender and recipient of funds failed to exercise due care, both could be liable for the loss. 

Courts may also consider whether there were “red flags” that should have prompted further verification - and whether either party ignored them. 

Meanwhile, cyber insurers are quietly rewriting policies to exclude BEC payouts unless you meet all duty of care obligations.  

This includes mandatory MFA, DMARC email authentication, daily limits on fund transfer requests, employee security training, and strict payment verification protocols. 

Without them, you could face higher premiums, outright denial of BEC coverage, or extra costs in the form of a separate “Social Engineering Fraud” policy. 

The business email compromise playbook: How hackers really pull off BEC  

Hackers no longer need to “break in.” They can now log in by buying your credentials on the Dark Web, often for less than the price of lunch (between US$10-$20). 

And that’s not all: Each BEC scam uses different tactics to bypass your defenses.  

To protect your business, know the most common BEC email scams to look for in 2025. 

Scam type	Description	Key tactics used
Invoice billing fraud	Fraudsters send what appear to be legitimate invoices to trick your business into paying up. The average loss from invoice fraud is US $137,000.   30% of businesses fell victim to invoice fraud in 2024. In 2022, scammers used spear phishing to send fake invoices to accounts payable at Scoular (an agricultural marketing company) -resulting in a $17 million loss for the business.	Invoice manipulation Use of spear phishing to target specific individuals Timed to coincide with real transactions Follows internal billing cycles and payment processes
Vendor email compromise (VEC)	Hackers compromise a vendor or supplier’s email account, sending fake invoices or requested changes to payment. There was a 66% increase of VEC in early 2024.	A subset of invoice billing fraud Supply chain exploitation Email thread hijacking Use of lookalike domains
CEO impersonation fraud	Attackers pose as top executives, sending requests for urgent payments or confidential data.   Over 89% of BEC attacks involve CEO fraud. In 2025, deepfake fraud involving authority figures have already led to $200 million+ in losses. In 2025, engineering firm Arup lost $25 million to CEO fraud.	Use of spear phishing to target specific individuals Use of lookalike domains AI-crafted messages to exploit authority bias New employees the favorite targets
Account compromise	Scammers gain control of an employee’s account and use it to request transfers of cash or corporate data.   In 2021, non-profit One Treasure Island lost $650,000 when scammers compromised their accountant’s email account, added themselves to an email thread, and sent new wire instructions for a payment request.	Credential theft to take over employee accounts Email hijacking Spear phishing to target specific employees
Gift card fraud	Attackers target one of your employees to purchase gift cards for a vendor giveaway or employee reward program.   The employee is asked to use corporate funds for the purchase.   Once purchased, the scammer asks for PIN codes and card numbers, which they quickly redeem or resell. This makes recovery nearly impossible.   Amazon is the most popular gift card brand requested (64%)	Use of CEO impersonation and spear phishing to target specific employees Relies on a combination of authority and urgent secrecy
Attorney impersonation	Scammers pose as lawyers, citing confidentiality to pressure staff into transferring funds or proprietary data.   In 2022, BEC group Crimson Kingsnake created 92 lookalike domains to impersonate international law firms like Deloitte and Kirkland & Ellis to trick recipients into paying fake invoices.	Use of spear phishing to target specific employees Use of lookalike domains and legal jargon Exploitation of authority and secrecy
Payroll diversion	Attackers request changes to payroll or HR records, rerouting employee salaries to their own accounts.   Payroll diversion attacks have increased by 180% since 2022. On average, payroll schemes go undetected for 24 months with an average loss of $2,600/month.	Impersonations target HR/finance staff Use of credential theft to take over legitimate employee email accounts Use of email to make direct deposit change requests

7 BEC myths that could destroy your business: How many do you believe? 

The true risk doesn’t stem solely from the BEC scams themselves, but rather from widespread misconceptions about them. 

Below are seven (7) of the top myths to look out for in 2025: 

Myth #1 We’re too small to be a target. 

Fact: Small businesses experience 350% more social engineering attacks than larger enterprises. 

Fact: 43% of cyber attacks worldwide involve small businesses with fewer than 1,000 employees. 

Myth #2 Our IT team will catch it. 

Fact: 50% of all email phishing attacks, including business email compromise (BEC) evade SEGs (secure email gateways). 

Fact: 98% of affected employees don’t report BEC attacks, indicating that most incidents go undetected by IT unless specifically flagged. 

Myth #3 We have cyber insurance. 

Fact: Read the fine print – most claims for social engineering are denied unless there are specific endorsements for it in a policy. 

Myth #4 We already use MFA (multi-factor authentication). 

Fact: In a BEC attack, scammers impersonate trusted colleagues, vendors, and executives to manipulate your employees into making unauthorized transactions, bypassing technical controls like MFA. 

Myth #5 We train our employees during onboarding. 

Fact: Training that isn’t ongoing is soon forgotten. Continuous training and phishing simulations can boost your staff’s ability to spot and report BEC attempts.  

For example, after 12 months of consistent training, the percentage of employees reporting threats jumps from 13% to 64% - that figure rises to 71% after two years. 

Myth #6 It’s just another phishing scam. 

Fact: BEC is far more sophisticated, targeted, and difficult to detect. While phishing emails are usually sent in bulk, BEC attacks are meticulously crafted, highly customized, and contextual.  

They target specific employees, manipulating their trust in authority to convince them to act against their employer’s best interests. Because messages are tailored to align with internal culture, BEC attacks are harder to detect.  

Myth #7 We can spot a fake email. 

Fact: 28% of BEC emails are opened by employees. This means nearly 1 in 3 BEC attack emails successfully bypass technical filters and human suspicion. 

And that’s not all: 15% of BEC emails that are read actually receive a reply. This means a significant portion of employees are engaging with attackers. 

The survival kit for BEC email security: What all the top experts are doing – and you should too 

The BEC-proof checklist: 10 questions you must answer to keep your business safe 

Miss even one and your business could be the next BEC statistic. 

#1 Do we have a process for verifying all urgent financial requests? 

Strong protocols such as a two-step verification process for wire transfers and changes to payment details can minimize BEC threats. 

#2 Are we simulating BEC email attacks in employee training? 

Using training tools like Hoxhunt - which offers adaptive difficulty levels, gamification elements, and micro-learning sessions - can reinforce correct behavior and turn mistakes into learning opportunities. 

#3 Have we reviewed our vendor and third-party relationships? 

Sharing your organization’s BEC prevention policies and requiring BEC security controls in contractual agreements can reduce third-party risk. 

#4 Do we have a clear incident response (IR) plan? 

Implementing a structured IR plan to detect, contain, and recover from a BEC attack is critical to business continuity.  

#5 Have we implemented secure identity and access management practices? 

Implementing strong access & provisioning controls helps reduce the number of potential entry points for attackers. 

#6 Are we regularly backing up our data? 

Scheduling frequent, automated backups of email, financial, and critical business data can ensure rapid recovery and minimized downtime after an attack.  

#7 Have we established multi factor authentication for all critical accounts? 

Enforcing phishing-resistant MFA for all email accounts and critical financial systems can reduce the risk of unauthorized access through stolen credentials. 

#8 Have we reviewed our cyber insurance coverage? 

Standard cyber insurance often excludes coverage for social engineering attacks like BEC. Review your policy to confirm BEC attacks are explicitly covered and take note of any exclusions and sub-limits (which can be as low as $100,000). 

Higher limits (such as $1 million or more) are usually only available under a separate commercial crime policy. 

#9 Have we updated our defenses with AI-driven threat monitoring and detection? 

AI is becoming essential in cyber defense. Use AI-based security tools like Darktrace, Arctic Wolf, Abnormal Security, or IRONSCALES to monitor suspicious wire transfer and payment change requests. 

#10 Do we use advanced email security tools? 

Implementing DMARC, DKIM, and SPF authentication to validate the authenticity of incoming emails ensures only authorized emails are delivered – making it far more difficult for scammers to send fraudulent payment requests that appear to come from your organization. 

Business email compromise protection with LastPass 

Let’s face it: BEC attacks are expensive. 

And just ONE weak or reused password can leave your company’s email accounts vulnerable to credential theft and unauthorized access.  

By adding a Secure by Design password manager to your arsenal, you protect your business in the ways that matter: 

• Generating strong, unique passwords for EVERY employee account 

• Protecting all credentials with military-grade AES-256 encryption 

• Adding an extra layer of security with proven phishing-resistant MFA 

• Centralizing identity and access management to get unified visibility across all access points 

• 24/7 Dark Web Monitoring to support a rapid response when credentials are compromised 

Don’t wait for BEC to strike: Try LastPass Business Max FREE today and see the difference it makes.