Request access
RankShield Network · Financial · Payment Fraud

Business Email Compromise for Small Business: How BEC Works and How to Stop It Before Settlement

Business email compromise is the most expensive fraud a small business faces, and email security tools do not catch the payment itself. Here is how BEC works, the variants you actually see, and the process control that stops it before the money settles.

Key takeaways
  • Business email compromise is a scam that uses email to get your team to send a real payment or change where a supplier is paid. The FBI recorded $3.046 billion in reported BEC losses across 24,768 complaints in 2025, with 86 percent moving by wire or ACH.
  • BEC defeats bank and email defenses because the payment is authorized. Nothing about it looks anomalous at the moment it clears, because a real, trusted person pushed it.
  • Small businesses are the primary target, not collateral damage. The 2026 AFP survey found 74 percent of organizations were hit by BEC, and 48 percent of firms under $1 billion in revenue took a fraud loss.
  • DMARC and multi-factor authentication reduce the email vector but do not stop an authorized payment. The control that catches BEC is a process one applied before the payment settles.
  • You cannot fully prevent a deceived approver from paying; the achievable goal is to verify the payee and the approval before settlement and keep evidence of the decision, which is what RankShield Financial is built to do.

Business email compromise, or BEC, is a scam that uses email to trick your team into sending a real payment or redirecting a supplier’s payments to an account the attacker controls. It is not a break-in at your bank; it is a deception aimed at the person who approves payments, which is why the money leaves looking completely authorized. For a small business with no security team, it is the most expensive fraud you are realistically going to face. The FBI’s Internet Crime Complaint Center reported $3.046 billion in reported BEC losses across 24,768 complaints in 2025, with 86 percent of the money moving by wire or ACH1, the fast and largely irreversible rails. BEC is not a technical exploit a firewall blocks. It is a con aimed at a busy person who has the authority to pay, and the 2026 AFP Payments Fraud and Control Survey found that 74 percent of organizations were hit by business email compromise2 in the prior year. This guide explains what BEC actually is, the handful of variants a small business really sees, why smaller companies are the primary target rather than collateral damage, and how to stop it without an IT department. Most advice points you at email tools like DMARC and multi-factor authentication. Those reduce the email vector, but they do not catch the payment itself. The control that does is a process control applied before the money settles, and that is where this guide lands. One honest note first: no tool removes the human judgment the scam attacks, so the goal is not a magic filter. It is to make the unsafe step unskippable and to hold a suspect payment before it is released.

What business email compromise is, and how the money actually leaves your account

Business email compromise is a scam that gets an authorized employee to move money or change payment details based on an email that appears to come from someone they trust. The attacker does not need your banking credentials. They need your team to believe that a boss, a supplier, or a lawyer sent a genuine request. Sometimes they spoof a familiar address; more often they compromise a real mailbox and send from inside it, so the message passes every technical check because it is technically genuine. The fraud lives in the deception, not in the transaction data.

The sequence is consistent. An attacker gets into or imitates an email account, reads real invoice and payment threads to learn your vendors, amounts, and timing, then sends a request that fits the pattern: a changed bank account, an urgent wire, a rerouted payroll deposit. It arrives right before a payment run, framed as time-sensitive, from a name your team recognizes. Your staff does what the email asks, and the payment clears as a normal, authorized transaction. Because 86 percent of BEC losses move by wire or ACH, the money is often gone or moved onward before anyone questions the request.

The BEC variants a small business actually sees

Business email compromise is one technique with a few reliable disguises, and a small business tends to see the same handful. Knowing the shape of each one is what lets a non-specialist spot the request before paying it. The FBI now tracks a rising overlap between these scams and generative AI, which lets attackers write cleaner messages and clone a familiar voice for a follow-up call. In 2025 the IC3 recorded more than $893 million in losses across complaints with an AI nexus, and more than $30 million tied specifically to BEC with an AI component1. AI makes the message more convincing; it does not change the control that stops it.

Every variant below ends the same way: an authorized person releases a payment to an account the attacker controls. The tell is never the grammar of the email. It is the request itself, a change to where money goes, arriving through a channel you cannot independently trust. If your business runs payments, this is the moment worth pausing on, and you can request access to a control that makes that pause automatic.

  • Executive wire fraud (CEO fraud): a message that looks like it is from your owner or CFO asks for an urgent, confidential wire, often for an acquisition or a vendor deposit. It leans on authority and secrecy so the approver skips the normal check.
  • Vendor or supplier invoice swap: an attacker in a supplier’s inbox emails that the banking details for an open invoice have changed. Your team updates the vendor record and pays the next run to the fraudster.
  • Payroll diversion: an email posing as an employee asks HR or payroll to update direct-deposit details, quietly rerouting that person’s next paycheck.
  • Attorney or closing impersonation: around a real estate closing or a legal settlement, a spoofed message sends new wire instructions for funds that are large and one-time, so the victim has no baseline to compare against.
  • Data-then-payment requests: an urgent ask for W-2s, a vendor list, or gift cards that either harvests information for a later payment scam or extracts value directly.

Why small businesses are the primary target, not collateral damage

Small and mid-sized businesses are targeted deliberately because they combine real money with thin controls. A larger company has a treasury team, enforced separation of duties, and payment software that holds anomalies. A ten-person business often has one person who both updates a vendor’s bank details and approves the payment, which means the single check that would stop the scam does not exist by default. Attackers know this, and they price their effort accordingly.

The loss data shows the exposure is not a big-company problem. The 2026 AFP Payments Fraud and Control Survey found that 76 percent of organizations faced attempted or actual payments fraud, and 48 percent of firms under $1 billion in revenue took a fraud loss2. Smaller firms are more exposed per dollar because a single fraudulent wire can equal a meaningful share of a month’s cash, and there is rarely a dedicated person whose job is to catch it. The standard advice assumes someone has time to verify every change and get a second approval. At an understaffed accounts payable desk under a deadline, that assumption is exactly what breaks.

How to stop BEC without an IT team: process controls over email security

The most useful thing to understand is that email security and payment security are different problems. DMARC, SPF, DKIM, and multi-factor authentication make it harder for an attacker to spoof or enter your mailbox, and every business should turn them on. They do not, and cannot, stop a payment your own employee was tricked into authorizing, because that payment is legitimate at the transaction level. For a business with no IT team, the work that pays off most is not more email tooling. It is a small number of process controls on the payment itself, applied to every request to move money or change where it goes.

These controls share one principle: the email that requested the change can never be the thing that verifies it. Each step below removes a specific way the scam wins under pressure, and none of them require a security specialist to run. The point is to make the safe path the only path, so a rushed approver does not have to remember to be careful.

  • Verify out of band. Confirm any payment change or urgent wire using a phone number from your own records or the counterparty’s official site, never a number, link, or reply in the request itself.
  • Require a second, named approver. The person who edits a vendor’s bank details or initiates a wire must not be the only person who approves it. One extra set of eyes breaks most BEC attempts.
  • Hold the first payment to changed details. Apply a short cooling-off period so a first payment to new banking details is held for verification rather than released on the next run.
  • Match the payee before release. Check that who is being paid matches a vendor or employee record you verified through a trusted channel, not one edited from an email.
  • Keep an approval record. Retain evidence that a specific, authorized person approved this specific payee and amount, so any request can be traced and defended later.

The one control that catches BEC after every other layer fails

Email filters and staff training reduce how many BEC messages reach an approver, but neither one is a payment control, and both fail eventually because the whole scam is engineered to look normal to a human. The control that actually changes the outcome sits at the last possible moment: verifying the payment before it is released, rather than scoring it for risk after it has settled. On the wire and instant rails that carry most BEC losses, that timing matters. Nacha’s fraud-monitoring rules, whose second phase took effect in June 2026 for all remaining non-consumer originators3, now require businesses to screen for payments initiated under false pretenses, which is Nacha’s exact term for the identity and authority deception BEC relies on.

This is where RankShield Financial fits. It sits in the authorization path as a verification and attestation layer, not a wallet or a processor, and it never takes custody of your funds; your existing bank and rails still move the money. It verifies the payee and proves an authorized approval for the invoice and vendor fraud case and the urgent executive wire case before release, and it seals a signed, tamper-evident record of the decision. Unlike a private fraud score you have to trust, a verdict on the RankShield Network is independently verifiable, so an examiner, an insurer, or a partner can check it rather than take it on faith. That shared signal compounds as members join, rather than claiming a scale we have not yet reached. The signing is quantum-safe by construction, not quantum-proof, and the aim is honest: hold a suspect payee before it settles and produce evidence of exactly who approved what. If you run payments and want that check to be automatic, you can request access.

What to do in the first hour if you already paid a BEC invoice

If you think you have already paid a fraudulent request, speed is the only thing on your side, and it is a backstop, not a plan. Call your bank immediately and ask them to attempt a recall or to freeze the receiving account, then report the fraud to the FBI’s IC3 so its Recovery Asset Team can try to halt the funds. On wire and ACH the practical window is short and on instant rails it can be minutes, because fraudsters move the money onward through other accounts as soon as it lands. Recovery works for a minority of victims, mainly those who report while the money is still sitting in the first receiving account.

Then contain the cause. If the request came from a compromised mailbox, reset that account’s credentials, check its forwarding rules and filters for anything the attacker added, and warn any counterparty whose inbox may be involved. Preserve the emails and payment records as evidence. The reason this section is short is that the first hour has a hard ceiling on what it can recover, and that ceiling is exactly why the durable defense is verifying the payment before it leaves rather than chasing it afterward. Once value settles to the account the fraudster controls, there is usually nothing left to reverse.

FAQ

Frequently asked questions

Every question buyers ask before they trust a payment-security platform, answered directly.

JAMIE KLONCZ · RANKSHIELD FINANCIAL ONLINE

Pick a question on the left, or search above. You will get the direct answer, the way an answer engine would give it.

REQUEST ACCESS →
Verify, then settle

See your payments verified before they settle.

RankShield Financial is rolling out with design partners on instant and tokenized rails. Request access and we’ll map it to your settlement flow.

Request accessHow it works