Business Email Compromise Examples: 8 Common BEC Scam Patterns (2026)
Business email compromise (BEC) is the costliest category of cybercrime reported to the FBI — bigger than ransomware, bigger than card fraud. It doesn't rely on malware or hacking skills. It relies on a convincing email and a moment of trust. This guide walks through 8 common BEC patterns, what each looks like in an actual inbox, and the specific red flag that gives it away. The examples below are illustrative scenarios based on documented attack patterns — not case files.
The Five Categories of BEC Attacks
The FBI groups BEC into a handful of recurring patterns. Knowing which category you're looking at changes what you check first.
An email impersonating a company executive instructs an employee — usually in finance or AP — to make an urgent wire transfer. Often timed for when the real executive is known to be traveling or unreachable.
An attacker impersonates a known vendor and requests that future payments go to a "new" bank account. Often follows research into real vendor relationships, sometimes via a genuinely compromised vendor account.
An attacker gains real access to an employee's email account and sends requests from inside legitimate email threads — making the message nearly indistinguishable from genuine correspondence.
An email impersonating a lawyer or law firm pressures an employee to handle a "confidential, time-sensitive" matter — often invoking legal urgency and secrecy to discourage verification.
Rather than asking for money directly, the email requests sensitive data — W-2s, employee records, or banking details — which is then used to commit further fraud, often against employees personally.
An email impersonating an employee asks HR or payroll to change their direct deposit details. The next paycheck is redirected to the attacker's account instead of the real employee's.
Anatomy of a BEC Email
Here's a fabricated CEO-fraud email annotated with the details that carry the highest risk. Each numbered marker corresponds to a specific check you should perform.
To: amanda@northgateco.com
Subject: Quick favor — time sensitive 3
I'm heading into back-to-back meetings and can't take calls right now 4, but I need you to process an urgent wire for a vendor we're closing a deal with today. 5
Please keep this between us for now until the deal is announced 6 — I'll explain everything once I'm out of these meetings. Amount is $18,400. 7 I'll send the account details in a separate email.
Let me know once it's done.
Janet
Sent from my iPhone 8
- 1Sender name — matches a real executive, but the name alone proves nothing. Display names can be set to anything regardless of the actual sending account.
- 2Email domain — northgate-co.com vs the real northgateco.com. One added hyphen. Check every character, every time.
- 3Urgency in the subject line — "time sensitive," "quick favor," "urgent" are classic pressure framing designed to short-circuit normal review.
- 4Unreachability claim — "can't take calls" preemptively blocks the one verification step that would expose the scam: actually calling the person.
- 5Vague justification — "a vendor we're closing a deal with" gives no specific, checkable detail. Real urgent payments usually reference something concrete.
- 6Secrecy request — "keep this between us" is one of the strongest BEC signals. Legitimate business requests are rarely secret from a second approver.
- 7Amount just under common approval thresholds — figures like $18,400 or $9,800 are often chosen to land just under a known single-approver limit.
- 8"Sent from my iPhone" — commonly added to justify typos, brevity, and the absence of a normal email signature with verifiable contact details.
The email above isn't suspicious because it asks for a payment. Plenty of legitimate urgent requests exist. It's suspicious because of what it does to the verification process.
In fraud investigations, the hardest cases are rarely the obvious ones. What makes BEC effective is that each individual element — an executive name, an urgent deadline, a new account — looks plausible on its own. The pattern only becomes clear when you look at sender identity, timing, payment details, and communication history together. That's what a structured check does that a quick read doesn't.
8 Common BEC Scam Patterns
Each example below is a real-world BEC pattern. Multiple signals showing up in the same email is a serious warning — don't act on the request until each one is resolved.
An email impersonating an executive asks AP or finance to process an urgent wire, while explaining they can't take a call right now. The unreachability claim is intentional — it removes the easiest way to catch the fraud.
A known vendor's email account is compromised, or a lookalike domain is used, to send a routine-looking notice that their bank details have changed. The next invoice payment goes straight to the fraudster's account.
An attacker gains real access to a coworker's inbox and replies inside a genuine existing email thread, asking for a payment or a change in process. Because it comes from a real account inside a real conversation, it's the hardest BEC variant to catch.
An email impersonating an attorney or law firm pressures someone to handle a wire transfer connected to a "confidential acquisition" or "time-sensitive legal matter," explicitly discouraging them from discussing it with anyone else at the company.
The attacker never compromises a real account — they register a domain that looks nearly identical to a real one and send from there. The difference is often a single added hyphen, a transposed letter, or a different top-level domain.
Instead of asking for money, the email impersonates an executive and asks HR or payroll for a batch of employee W-2s or personal information — "for an audit" or "for a new benefits provider." This data is then used to commit tax fraud or identity theft against employees.
An email impersonating an employee asks HR to update their direct deposit bank details before the next pay run. The real employee's paycheck is redirected to the attacker's account, and the employee often doesn't know until payday.
A lower-stakes but extremely common variant: an email impersonating a manager asks an employee to urgently purchase gift cards "for a client gift" or "team appreciation," then send the codes by photo or email. Gift cards are functionally untraceable once the codes are sent.
Notable Documented BEC Cases
These are publicly reported cases that illustrate how BEC attacks work in practice. The patterns in every one of them match the scenarios above — which is why they're worth understanding before assuming it can't happen to you.
None of these required sophisticated malware or a technical breach. Every one exploited a routine payment process — an AP team updating vendor details, a finance employee processing an invoice, a staff member following what appeared to be a normal project-related request. The attack surface is the human process, not the technology. That's why a structured check before payment goes out matters more than any spam filter.
What to Do When You Spot a Red Flag
A red flag doesn't mean the email is definitely fraudulent. It means you need to verify before acting. Here's the process:
- Do not reply to the email — if the sender is a fraudster, replying confirms your address is active and tips them off that you're investigating. Contact the supposed sender independently instead.
- Call the person directly using a number you already have — look it up independently, never use a phone number from the email itself. Confirm verbally whether they sent the request.
- Check the sending domain character by character — compare it against a previous, known-good email from the same person. One character difference is enough to be a different domain entirely.
- Treat secrecy and urgency as the signal, not the reason to rush — both are deliberately used to short-circuit your normal verification process. Slow down specifically because of them.
- Run a fraud analysis — submit the sender, domain, and message through PaySentinel to check for additional patterns your manual review might have missed.
- Escalate if you can't verify — if you cannot independently confirm the request is legitimate, escalate to your manager or a second approver before taking any action.
- Document everything — regardless of outcome, record what you found, who you spoke with, and what was confirmed. This protects you and creates an audit trail.
Act within the first hour.
If money was wired, call your bank immediately and ask them to issue a wire recall — the chances of recovery drop significantly after the first few hours. If data was shared, notify your IT/security team and consider credit monitoring for affected employees. Then file a report with the FBI Internet Crime Complaint Center at ic3.gov — they have dedicated financial crime units that handle BEC and wire fraud.
Building a Process That Prevents BEC
Individual red flag checks are necessary, but the best protection is a consistent process that makes BEC structurally harder to execute.
- Set a dual-authorization threshold — any wire above a set amount (e.g. $5,000) requires a second approver who independently verifies the request, not just countersigns.
- Establish a verbal verification rule for banking changes — no routing or account number change is accepted from email alone, ever, regardless of who appears to send it.
- Enable multi-factor authentication on all email accounts — this single control prevents most of the account-compromise variant of BEC, which is otherwise nearly impossible to detect by content alone.
- Train every employee who can move money or data — not just finance. Payroll, HR, and executive assistants are common BEC targets and are often less trained on fraud patterns than AP staff.
- Normalize "slowing down" as standard practice — make clear that delaying an urgent request to verify is never going to get someone in trouble, even if it turns out to be legitimate.
- Run a fraud check on any unusual request — takes under a minute with PaySentinel and catches patterns that manual review misses under time pressure.
Frequently Asked Questions
Business email compromise is a scam where an attacker impersonates a trusted contact — an executive, vendor, or coworker — usually by email, to trick someone into sending money or sensitive information. It often involves a compromised or spoofed email account rather than malware, which makes it harder for spam filters to catch.
Phishing typically casts a wide net with generic emails trying to steal credentials or install malware. BEC is targeted and personal — the attacker has researched the company, knows real names and relationships, and crafts a specific request that looks routine.
BEC emails rarely contain malicious links or attachments, which is part of why they evade technical spam filters and require human judgment to catch.
Small businesses often lack dedicated fraud teams, dual-approval requirements, or formal verification processes for payment changes. A single employee frequently has authority to approve a wire transfer alone, which is exactly the gap BEC attacks are designed to exploit.
Yes. Many BEC attacks use a lookalike domain rather than compromising your actual account — registering a domain that looks nearly identical to a real one. The attacker never needs access to anyone's inbox; they just need the recipient not to notice the domain is slightly wrong.
Do not reply to the email or call any phone number included in it. Verify the request through a separate, previously known communication channel — a phone number from your records, not the email signature.
If you already sent a payment, call your bank's fraud line immediately to request a wire recall, then file a report with the FBI's IC3 at ic3.gov.
How PaySentinel Catches These Automatically
Most of the patterns above require manual research — checking domains, calling vendors, comparing routing numbers. PaySentinel automates the pattern detection so you catch these faster and more consistently, even on busy days when manual checks get rushed.
Here's which signals the email and vendor checks cover automatically:
| Signal | PaySentinel detects? | How |
|---|---|---|
| Lookalike / typosquat domain | ✓ Yes | Checks the sending domain against known typosquat patterns and flags suspicious lookalikes |
| Routing number changed | ✓ Yes | Compares against your vendor history in local memory — flags any change from prior analyses |
| Urgency / pressure language | ✓ Yes | Detects urgency, secrecy, and pressure phrasing patterns common to BEC emails |
| Secrecy requests | ✓ Yes | Flags language asking the recipient to keep a request confidential from coworkers |
| Amount near approval threshold | ✓ Yes | Flags amounts suspiciously close to common single-approver limits |
| ABA routing number validity | ✓ Yes | Runs ABA checksum validation on any routing number submitted |
| Unreachability claims | Partial | Flagged as part of urgency-language detection, but verifying reachability is still on you |
| Compromised internal account, mid-thread | Manual step | Requires phone verification — PaySentinel can't verify whether a real coworker's account was compromised |
| Gift card / non-wire requests | Manual step | Run the request through the Email tab to check for BEC language patterns even when no bank transfer is involved |
Open the Email tab in the app. Paste in the sender's email address, the subject and body text, and any details about the request. PaySentinel runs the check and returns a risk score with specific red flags and recommended next steps — the whole process takes under a minute.
Every pattern in this guide — lookalike domains, urgency language, secrecy requests, structuring amounts, routing number changes — is something PaySentinel checks automatically when you paste in a suspicious email or payment request. The point isn't to replace your judgment. It's to give you a structured second opinion before money leaves the account, consistently, even on the days when manual review gets rushed.
Check a suspicious email now
Paste in the sender, domain, and message — PaySentinel checks for BEC language patterns, lookalike domains, and structuring signals, and gives you a risk score in under a minute. Free for small businesses.
Check an email free →