# BEC for Small Business: How It Works, How to Stop It | RankShield Financial

> Business email compromise tricks small teams into paying a fraudster. Here is how BEC works and the one control that stops it before the payment settles.
>
> Source: https://rankshieldfinancial.com/resources/business-email-compromise-small-business/ · RankShield Financial (verifiable pre-settlement payment security)

RankShield Network · Financial · Payment Fraud
# Business Email Compromise for Small Business: How BEC Works and How to Stop It Before Settlement

Business email compromise is the most expensive fraud a small business faces, and email security tools do not catch the payment itself. Here is how BEC works, the variants you actually see, and the process control that stops it before the money settles.
   By  Jamie Kloncz  Founder, RankShield Financial    July 22, 2026 · 12 min read        Key takeaways
- Business email compromise is a scam that uses email to get your team to send a real payment or change where a supplier is paid. The FBI recorded $3.046 billion in reported BEC losses across 24,768 complaints in 2025, with 86 percent moving by wire or ACH.
- BEC defeats bank and email defenses because the payment is authorized. Nothing about it looks anomalous at the moment it clears, because a real, trusted person pushed it.
- Small businesses are the primary target, not collateral damage. The 2026 AFP survey found 74 percent of organizations were hit by BEC, and 48 percent of firms under $1 billion in revenue took a fraud loss.
- DMARC and multi-factor authentication reduce the email vector but do not stop an authorized payment. The control that catches BEC is a process one applied before the payment settles.
- You cannot fully prevent a deceived approver from paying; the achievable goal is to verify the payee and the approval before settlement and keep evidence of the decision, which is what RankShield Financial is built to do.

Business email compromise, or BEC, is a scam that uses email to trick your team into sending a real payment or redirecting a supplier’s payments to an account the attacker controls. It is not a break-in at your bank; it is a deception aimed at the person who approves payments, which is why the money leaves looking completely authorized. For a small business with no security team, it is the most expensive fraud you are realistically going to face. The FBI’s Internet Crime Complaint Center reported $3.046 billion in reported BEC losses across 24,768 complaints in 2025, with 86 percent of the money moving by wire or ACH 1 , the fast and largely irreversible rails. BEC is not a technical exploit a firewall blocks. It is a con aimed at a busy person who has the authority to pay, and the 2026 AFP Payments Fraud and Control Survey found that 74 percent of organizations were hit by business email compromise 2 in the prior year. This guide explains what BEC actually is, the handful of variants a small business really sees, why smaller companies are the primary target rather than collateral damage, and how to stop it without an IT department. Most advice points you at email tools like DMARC and multi-factor authentication. Those reduce the email vector, but they do not catch the payment itself. The control that does is a process control applied before the money settles, and that is where this guide lands. One honest note first: no tool removes the human judgment the scam attacks, so the goal is not a magic filter. It is to make the unsafe step unskippable and to hold a suspect payment before it is released.

## What business email compromise is, and how the money actually leaves your account

Business email compromise is a scam that gets an authorized employee to move money or change payment details based on an email that appears to come from someone they trust. The attacker does not need your banking credentials. They need your team to believe that a boss, a supplier, or a lawyer sent a genuine request. Sometimes they spoof a familiar address; more often they compromise a real mailbox and send from inside it, so the message passes every technical check because it is technically genuine. The fraud lives in the deception, not in the transaction data.

The sequence is consistent. An attacker gets into or imitates an email account, reads real invoice and payment threads to learn your vendors, amounts, and timing, then sends a request that fits the pattern: a changed bank account, an urgent wire, a rerouted payroll deposit. It arrives right before a payment run, framed as time-sensitive, from a name your team recognizes. Your staff does what the email asks, and the payment clears as a normal, authorized transaction. Because 86 percent of BEC losses move by wire or ACH, the money is often gone or moved onward before anyone questions the request.

## The BEC variants a small business actually sees

Business email compromise is one technique with a few reliable disguises, and a small business tends to see the same handful. Knowing the shape of each one is what lets a non-specialist spot the request before paying it. The FBI now tracks a rising overlap between these scams and generative AI, which lets attackers write cleaner messages and clone a familiar voice for a follow-up call. In 2025 the IC3 recorded more than $893 million in losses across complaints with an AI nexus, and more than $30 million tied specifically to BEC with an AI component 1 . AI makes the message more convincing; it does not change the control that stops it.

Every variant below ends the same way: an authorized person releases a payment to an account the attacker controls. The tell is never the grammar of the email. It is the request itself, a change to where money goes, arriving through a channel you cannot independently trust. If your business runs payments, this is the moment worth pausing on, and you can [request access](https://rankshieldfinancial.com/contact/) to a control that makes that pause automatic.

- Executive wire fraud (CEO fraud): a message that looks like it is from your owner or CFO asks for an urgent, confidential wire, often for an acquisition or a vendor deposit. It leans on authority and secrecy so the approver skips the normal check.
- Vendor or supplier invoice swap: an attacker in a supplier’s inbox emails that the banking details for an open invoice have changed. Your team updates the vendor record and pays the next run to the fraudster.
- Payroll diversion: an email posing as an employee asks HR or payroll to update direct-deposit details, quietly rerouting that person’s next paycheck.
- Attorney or closing impersonation: around a real estate closing or a legal settlement, a spoofed message sends new wire instructions for funds that are large and one-time, so the victim has no baseline to compare against.
- Data-then-payment requests: an urgent ask for W-2s, a vendor list, or gift cards that either harvests information for a later payment scam or extracts value directly.

## Why small businesses are the primary target, not collateral damage

Small and mid-sized businesses are targeted deliberately because they combine real money with thin controls. A larger company has a treasury team, enforced separation of duties, and payment software that holds anomalies. A ten-person business often has one person who both updates a vendor’s bank details and approves the payment, which means the single check that would stop the scam does not exist by default. Attackers know this, and they price their effort accordingly.

The loss data shows the exposure is not a big-company problem. The 2026 AFP Payments Fraud and Control Survey found that 76 percent of organizations faced attempted or actual payments fraud, and 48 percent of firms under $1 billion in revenue took a fraud loss 2 . Smaller firms are more exposed per dollar because a single fraudulent wire can equal a meaningful share of a month’s cash, and there is rarely a dedicated person whose job is to catch it. The standard advice assumes someone has time to verify every change and get a second approval. At an understaffed accounts payable desk under a deadline, that assumption is exactly what breaks.

## How to stop BEC without an IT team: process controls over email security

The most useful thing to understand is that email security and payment security are different problems. DMARC, SPF, DKIM, and multi-factor authentication make it harder for an attacker to spoof or enter your mailbox, and every business should turn them on. They do not, and cannot, stop a payment your own employee was tricked into authorizing, because that payment is legitimate at the transaction level. For a business with no IT team, the work that pays off most is not more email tooling. It is a small number of process controls on the payment itself, applied to every request to move money or change where it goes.

These controls share one principle: the email that requested the change can never be the thing that verifies it. Each step below removes a specific way the scam wins under pressure, and none of them require a security specialist to run. The point is to make the safe path the only path, so a rushed approver does not have to remember to be careful.

- Verify out of band. Confirm any payment change or urgent wire using a phone number from your own records or the counterparty’s official site, never a number, link, or reply in the request itself.
- Require a second, named approver. The person who edits a vendor’s bank details or initiates a wire must not be the only person who approves it. One extra set of eyes breaks most BEC attempts.
- Hold the first payment to changed details. Apply a short cooling-off period so a first payment to new banking details is held for verification rather than released on the next run.
- Match the payee before release. Check that who is being paid matches a vendor or employee record you verified through a trusted channel, not one edited from an email.
- Keep an approval record. Retain evidence that a specific, authorized person approved this specific payee and amount, so any request can be traced and defended later.

## The one control that catches BEC after every other layer fails

Email filters and staff training reduce how many BEC messages reach an approver, but neither one is a payment control, and both fail eventually because the whole scam is engineered to look normal to a human. The control that actually changes the outcome sits at the last possible moment: verifying the payment before it is released, rather than scoring it for risk after it has settled. On the wire and instant rails that increasingly carry these payments, that timing matters, because those rails are fast and final. The Clearing House’s RTP network moved 2.27 million payments worth $8.62 billion in a single day on May 1, 2026 4 , and the Federal Reserve’s FedNow service now reaches over half of all U.S. checking and savings accounts 5 . Once a payment settles on those rails there is no clawback to wait for. Nacha’s fraud-monitoring rules, whose second phase took effect in June 2026 for all remaining non-consumer originators 3 , now require businesses to screen for payments initiated under false pretenses, which is Nacha’s exact term for the identity and authority deception BEC relies on.

This is where RankShield Financial fits. It sits in the authorization path as a verification and attestation layer, not a wallet or a processor, and it never takes custody of your funds; your existing bank and rails still move the money. It verifies the payee and proves an authorized approval for the [invoice and vendor fraud](https://rankshieldfinancial.com/invoice-fraud-prevention/) case and the [urgent executive wire](https://rankshieldfinancial.com/ceo-fraud-wire-fraud/) case before release, and it seals a signed, tamper-evident record of the decision. Unlike a private fraud score you have to trust, a verdict on the RankShield Network is independently verifiable, so an examiner, an insurer, or a partner can check it rather than take it on faith. That shared signal compounds as members join, rather than claiming a scale we have not yet reached. The signing is quantum-safe by construction, not quantum-proof, and the aim is honest: hold a suspect payee [before it settles](https://rankshieldfinancial.com/pre-settlement-payment-verification/) and produce evidence of exactly who approved what. If you run payments and want that check to be automatic, you can [request access](https://rankshieldfinancial.com/contact/).

## What to do in the first hour if you already paid a BEC invoice

If you think you have already paid a fraudulent request, speed is the only thing on your side, and it is a backstop, not a plan. Call your bank immediately and ask them to attempt a recall or to freeze the receiving account, then report the fraud to the FBI’s IC3 so its Recovery Asset Team can try to halt the funds. On wire and ACH the practical window is short and on instant rails it can be minutes, because fraudsters move the money onward through other accounts as soon as it lands. Recovery works for a minority of victims, mainly those who report while the money is still sitting in the first receiving account.

Then contain the cause. If the request came from a compromised mailbox, reset that account’s credentials, check its forwarding rules and filters for anything the attacker added, and warn any counterparty whose inbox may be involved. Preserve the emails and payment records as evidence. The reason this section is short is that the first hour has a hard ceiling on what it can recover, and that ceiling is exactly why the durable defense is verifying the payment before it leaves rather than chasing it afterward. Once value settles to the account the fraudster controls, there is usually nothing left to reverse.
        Operate it
## Verify a payment before it settles

Compose a payment and the conditions around it, then run the same check the product runs on a live rail. The verdict comes back before the money would move.
      Pay to     Amount (USD)     Conditions around this payment      Bank details changed by email       First-time payee       Amount over approval policy       Approver signature verifies       PRE-SETTLEMENT VERDICT  RANKSHIELD NETWORK
Compose a payment on the left and run the check. The verdict is returned before the money moves, the way the product returns it on a live rail.

Sandbox demo · reproduces the product’s verdict logic and signing metadata · not a live network call
        Downloadable · SVG
Business email compromise wears a few reliable disguises, but every one ends the same way: an authorized person releases money to an account the attacker controls. The defense is not spotting the email; it is verifying the payee and the approval before release.
      FAQ
## Frequently asked questions

Every question buyers ask before they trust a payment-security platform, answered directly.
           JAMIE KLONCZ · RANKSHIELD FINANCIAL           ONLINE
Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.
      REQUEST ACCESS →           Self-check
## How exposed are your payments?

Five controls decide whether an authorized-payment scam gets through on a fast rail. Answer them honestly to see where you stand.

- 01 Do you send payments on instant or same-day rails (RTP, FedNow, same-day ACH)?
- 02 Can one person both change a vendor’s bank details and approve the payment?
- 03 Do you always confirm a bank-detail change on a number from your own files, not the request?
- 04 Is the first payment to a new or changed payee held for verification before it goes out?
- 05 Do you keep a signed record of exactly who approved each payment?

Answer all five to see where you stand · 0/5
        References
- [FBI IC3, 2025 Internet Crime Report (BEC $3.046B, 86% wire/ACH; AI-nexus >$893M, BEC with AI nexus >$30M)](https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf)
- [AFP, 2026 Payments Fraud and Control Survey (76% attempted/actual fraud; 74% BEC; 48% of sub-$1B firms took a loss)](https://www.financialprofessionals.org/training-resources/resources/survey-research-economic-data/details/payments-fraud)
- [Nacha, Risk Management Topics: Fraud Monitoring Phase 2 (false pretenses, effective June 2026)](https://www.nacha.org/rules/risk-management-topics-fraud-monitoring-phase-2)
- [The Clearing House, RTP Network record $8.62B single day (May 1, 2026)](https://www.theclearinghouse.org/payment-systems/Articles/2026/05/RTP-Network-Marks-May-Day-with-Record-Breaking-Volume-and-Value)
- [Federal Reserve, FedNow Service participants (reaches over half of U.S. accounts)](https://www.frbservices.org/financial-services/fednow/organizations)

         About the author
## [Jamie Kloncz](https://rankshieldfinancial.com/about/) Founder, RankShield Financial

Jamie founded RankShield Financial to verify a payment’s intent and authority before it settles on instant and tokenized rails. These guides are written from building that product and reading the primary sources directly: every statistic here links to its original filing or report, never a secondhand summary.

- Primary sources only — each figure links to the original filing
- Honest boundaries — what verification can and cannot do is stated plainly
- Last verified July 22, 2026

  How RankShield Financial verifies →  Request access →            Verify, then settle
## See your payments verified before they settle.

RankShield Financial is rolling out with design partners on instant and tokenized rails. Request access and we’ll map it to your settlement flow.
  Request access  How it works

## Frequently asked questions

### What is business email compromise in simple terms?

Business email compromise, or BEC, is a scam where an attacker uses email to trick an employee into sending money or changing where a payment goes. The email looks like it came from a boss, a supplier, or a lawyer the person already trusts, either because the attacker spoofed the address or got into the real mailbox. There is no hacking of your bank. The payment is made by your own authorized employee, which is why it clears normally and why ordinary bank fraud controls do not flag it. BEC is the most expensive category of business payment fraud, and it works on the deception, not on a technical exploit.

### Is my small business really a target for business email compromise?

Yes, and often more than a large one. Attackers target small and mid-sized businesses because they hold real money but rarely have the controls that stop the scam, such as a treasury team or enforced separation of duties. The 2026 AFP Payments Fraud and Control Survey found 74 percent of organizations were hit by BEC and 48 percent of firms under $1 billion in revenue took a fraud loss. In a small business, one person often both updates a vendor’s bank details and approves the payment, so the single check that would catch the fraud does not exist. That gap, not company size, is what attackers are aiming at.

### How do I prevent BEC without an IT department?

Focus on the payment, not just the email. Turn on multi-factor authentication and email authentication if you can, but treat those as reducing the email vector, not stopping the payment. The controls that actually catch BEC are process ones any team can run: verify every payment change or urgent wire out of band using a number from your own records, require a second named approver, hold the first payment to changed bank details for a short cooling-off period, and match the payee to a record you verified through a trusted channel before release. None of these need a security specialist. They just have to be mandatory rather than optional, so a rushed approver cannot skip them.

### Does MFA or DMARC stop business email compromise?

They help, but they do not stop the payment. Multi-factor authentication makes it harder for an attacker to log into a mailbox, and DMARC, SPF, and DKIM make it harder to spoof your domain, so both reduce how many BEC messages get through. Neither one can stop a payment that your own employee was deceived into authorizing, because at the transaction level that payment is legitimate. Many BEC attacks also come from a genuinely compromised account, which passes every email authentication check because the mail really is from that address. Email security is worth having; it is simply the wrong layer to rely on for catching the fraudulent payment itself.

### What should I do if we already paid a fraudulent invoice?

Act within the hour and do not count on recovery. Call your bank immediately and ask them to attempt a recall or freeze the receiving account, and report it to the FBI’s IC3 so the Recovery Asset Team can try to halt the funds. Recovery only works for victims who report while the money is still in the first receiving account, which on instant rails can be minutes, because fraudsters move funds onward quickly. Then contain the cause: reset the compromised mailbox’s credentials, check its forwarding rules for anything the attacker added, warn affected counterparties, and preserve the emails and payment records as evidence. Once the payment settles to the fraudster’s account, there is usually nothing left to reverse.

### Does insurance cover business email compromise losses?

It depends on the policy, and you should confirm the specifics with your insurer rather than assume. Some cyber and crime policies include social engineering or fraudulent instruction coverage that can apply to BEC, but that coverage is often a separate add-on with its own limit, and claims can be denied when required verification controls were not followed. That last point matters for a small business: insurers increasingly expect out-of-band verification and dual approval on payment changes, and keeping evidence that an authorized person approved a specific payment can be the difference between a paid and a denied claim. Read your policy for social engineering fraud terms, and treat prevention controls as a condition of coverage, not a substitute for it.
