Common Business Email Compromise TacticsHow do Scammers Get Away With BEC Attacks?

Common BEC Tactics: How Scammers Conduct Attacks

Business email compromise attacks succeed because they exploit the one vulnerability no firewall can fix: human trust.

Attackers don't need to break through sophisticated security systems when they can simply ask an employee to wire funds or share sensitive data. They can make it look like the request came from someone with authority to ask, all with very little effort. These aren't theoretical scenarios; they're the exact playbooks criminals use against eCommerce merchants every day.

The aim needs to be recognizing red flags before money leaves your account or credentials fall into the wrong hands. And, understanding the specific tactics fraudsters use is the key.

The attacker compromises or spoofs the email account of a high-level executive; typically the CEO, CFO, or company owner. The scammer impersonates that individual and then emails an employee with authority to move money, usually someone in finance or accounting.

The message will be crafted to have a sense of urgency. It might say something like “I'm in a meeting and can't talk, but I need you to wire $30,000 to this vendor immediately for a time-sensitive deal.”

Even if the scammer is using a fake email address, it’ll look nearly identical to the executive’s real address, often using a lookalike domain (“john@yourcompany.com” vs. “john@yourcompany.co”).

This tactic is effective because it weaponizes organizational hierarchy and the fear of questioning authority. The request appears to come from leadership, so the employee feels pressured to comply quickly without following normal verification procedures, or even thinking to themselves, “Does this sound legit?”

A fraudster poses as legitimate vendor or supplier that your company does business with regularly. They email over a seemingly-legitimate invoice; the email thread might even reference real previous transactions to establish credibility.

The invoice looks identical to past bills. It has the same logo, same formatting, and same invoice numbers. There’s one crucial difference, though: the bank account or payment destination has changed.

The scammer might say something like “we've updated our banking information, please use these new details for all future payments.” Or, they may say they’re sending over “corrected invoice” shortly after you receive the legitimate one.

Attackers often time these emails to coincide with expected payment cycles, increasing the likelihood that finance teams will process them without scrutiny. For eCommerce merchants juggling dozens of vendor relationships, one altered routing number can result in six-figure losses.

Rather than spoofing an email address, attackers gain access to a legitimate employee’s actual email account through phishing, credential stuffing, or malware.

Once inside, the scammer will monitor email traffic to understand company operations, payment procedures, and who has authority to approve transactions. Then, they strike when the compromised employee is unavailable — sending payment requests during vacations or outside business hours, for example —making it harder for colleagues to verify the request directly.

Because the email genuinely comes from the employee's account, it passes authentication checks and looks completely legitimate in every way. The attacker may also set up email rules to hide responses or alerts, keeping the compromise undetected for weeks or months.

The fraudster poses as an attorney handling a time-sensitive legal matter, like a pending acquisition, confidential settlement, or urgent regulatory issue. They’ll reference real executives by name and claim to be working on their behalf on a matter “too sensitive to discuss over regular channels.”

The request typically involves wiring funds to an escrow account or paying legal fees immediately to avoid penalties or missed deadlines. The legal framing discourages employees from asking too many questions, as the matter is supposedly confidential, urgent... and above their pay grade.

For merchants, these scams might reference trademark disputes or patent issues. Or, especially now that tariffs are top-of-mind for a lot of seller, one popular option is to claim that there’s an issue regarding customs or import problems. The aim is to go with whatever sounds most plausible, and therefore most likely to let them bypass normal scrutiny.

Attackers compromise or impersonate an employee’s email account and submit a request to HR or payroll to change their direct deposit information, redirecting future paychecks to an account controlled by the fraudster.

These requests usually come just before a pay period and include legitimate-looking forms or screenshots that mimic your actual payroll system. The real employee doesn’t realize anything is wrong until payday when their money doesn't arrive. While individual payroll diversions might seem small compared to other BEC tactics, they’re often the precursor to larger attacks. Once criminals confirm they can successfully manipulate your HR processes, they escalate to higher-value targets.

A simpler but surprisingly effective variation involves executives (or people impersonating them) asking employees to purchase gift cards or prepaid cards for client gifts, employee rewards, or vendor payments.

It’s like the CEO fraud we discussed earlier. The request can come via email or text: “I'm tied up in meetings all day — can you grab $2,000 in iTunes gift cards and send me the codes? I need them for a client situation.” But, once the employee sends the card numbers and PINs, the funds are immediately drained and untraceable.

While smaller in dollar amounts than wire fraud, these attacks are very popular because there’s virtually zero friction. No banking verification or approval workflows to worry about; just a quick trip to a retailer and a reply email. The simplicity and speed make them attractive for opportunistic criminals testing your organization’s defenses.

Next Chapter

Business Email Compromise Statistics

Read More