Guide · Business Email Compromise

Business Email Compromise Examples: 8 Common BEC Scam Patterns (2026)

June 2026 AP Clerks Office Managers Small Business 10 min read

Business email compromise (BEC) is the costliest category of cybercrime reported to the FBI — bigger than ransomware, bigger than card fraud. It doesn't rely on malware or hacking skills. It relies on a convincing email and a moment of trust. This guide walks through 8 common BEC patterns, what each looks like in an actual inbox, and the specific red flag that gives it away. The examples below are illustrative scenarios based on documented attack patterns — not case files.

$2.7B
in BEC losses reported to the FBI's IC3 in 2024
$19K
average loss per BEC incident at a small business
96%
of BEC emails contain no malware or malicious link at all

The Five Categories of BEC Attacks

The FBI groups BEC into a handful of recurring patterns. Knowing which category you're looking at changes what you check first.

👔
CEO / executive fraud

An email impersonating a company executive instructs an employee — usually in finance or AP — to make an urgent wire transfer. Often timed for when the real executive is known to be traveling or unreachable.

🧾
Vendor / invoice impersonation

An attacker impersonates a known vendor and requests that future payments go to a "new" bank account. Often follows research into real vendor relationships, sometimes via a genuinely compromised vendor account.

📨
Compromised account attack

An attacker gains real access to an employee's email account and sends requests from inside legitimate email threads — making the message nearly indistinguishable from genuine correspondence.

⚖️
Attorney impersonation

An email impersonating a lawyer or law firm pressures an employee to handle a "confidential, time-sensitive" matter — often invoking legal urgency and secrecy to discourage verification.

🪪
Data theft request

Rather than asking for money directly, the email requests sensitive data — W-2s, employee records, or banking details — which is then used to commit further fraud, often against employees personally.

🏦
Payroll diversion

An email impersonating an employee asks HR or payroll to change their direct deposit details. The next paycheck is redirected to the attacker's account instead of the real employee's.

Anatomy of a BEC Email

Here's a fabricated CEO-fraud email annotated with the details that carry the highest risk. Each numbered marker corresponds to a specific check you should perform.

From: Janet Coyle 1
janet.coyle@northgate-co.com 2
To: amanda@northgateco.com
Subject: Quick favor — time sensitive 3

Amanda,

I'm heading into back-to-back meetings and can't take calls right now 4, but I need you to process an urgent wire for a vendor we're closing a deal with today. 5

Please keep this between us for now until the deal is announced 6 — I'll explain everything once I'm out of these meetings. Amount is $18,400. 7 I'll send the account details in a separate email.

Let me know once it's done.

Janet
Sent from my iPhone 8
Have a suspicious email in front of you right now? Paste the sender, domain, and message into PaySentinel and get a risk score in under a minute.
Check it now →
🔍 Fraud Analyst Perspective

The email above isn't suspicious because it asks for a payment. Plenty of legitimate urgent requests exist. It's suspicious because of what it does to the verification process.

In fraud investigations, the hardest cases are rarely the obvious ones. What makes BEC effective is that each individual element — an executive name, an urgent deadline, a new account — looks plausible on its own. The pattern only becomes clear when you look at sender identity, timing, payment details, and communication history together. That's what a structured check does that a quick read doesn't.

8 Common BEC Scam Patterns

Each example below is a real-world BEC pattern. Multiple signals showing up in the same email is a serious warning — don't act on the request until each one is resolved.

1
The "CEO is in a meeting" wire request
Critical

An email impersonating an executive asks AP or finance to process an urgent wire, while explaining they can't take a call right now. The unreachability claim is intentional — it removes the easiest way to catch the fraud.

What it looks like
"In meetings all day, can't talk — need this wired before 3pm."
A real urgent request still allows a callback to a known number.
Do this → Call the executive directly using a number from your company directory — never a number from the email. If you can't reach them, do not process the payment until you can.
2
The vendor "bank change" email
Critical

A known vendor's email account is compromised, or a lookalike domain is used, to send a routine-looking notice that their bank details have changed. The next invoice payment goes straight to the fraudster's account.

What it looks like
"Please note our bank has changed. Use the new routing number on all future payments."
Routing number matches what's on file from prior payments.
Do this → Never update banking details from an email alone. Call the vendor at a number from your existing records and require a signed bank authorization letter before changing anything.
3
Compromised internal account, mid-thread
Critical

An attacker gains real access to a coworker's inbox and replies inside a genuine existing email thread, asking for a payment or a change in process. Because it comes from a real account inside a real conversation, it's the hardest BEC variant to catch.

What it looks like
A reply appears in an existing thread requesting a sudden change to delivery instructions or payment details.
Do this → If a request inside a thread feels out of character or sudden, verify with the sender through a different channel — a phone call or in-person — before acting, even if the email account looks legitimate.
4
The "confidential legal matter" request
High

An email impersonating an attorney or law firm pressures someone to handle a wire transfer connected to a "confidential acquisition" or "time-sensitive legal matter," explicitly discouraging them from discussing it with anyone else at the company.

What it looks like
"This is highly confidential — please do not discuss with anyone else until the deal is announced."
Do this → Secrecy requests around payments are a hard stop. Legitimate legal and financial transactions don't require hiding the request from your own finance team or manager.
5
Lookalike domain, near-perfect copy
Critical

The attacker never compromises a real account — they register a domain that looks nearly identical to a real one and send from there. The difference is often a single added hyphen, a transposed letter, or a different top-level domain.

Common typosquat patterns
janet.coyle@northgate-co.com (hyphen added)
janet.coyle@northgatec0.com (letter swapped for zero)
janet.coyle@northgateco.com (legitimate)
Do this → Check the domain character by character against a known-good email, or against your contacts list — don't trust the display name alone.
6
The W-2 / employee data request
High

Instead of asking for money, the email impersonates an executive and asks HR or payroll for a batch of employee W-2s or personal information — "for an audit" or "for a new benefits provider." This data is then used to commit tax fraud or identity theft against employees.

What it looks like
"Can you send me PDF copies of all employee W-2s for this year? Need it for an audit by end of day."
Do this → Never send bulk employee data based on an email request alone, regardless of who it appears to be from. Verify by phone and route the request through your normal data-release process.
7
Payroll direct deposit redirect
High

An email impersonating an employee asks HR to update their direct deposit bank details before the next pay run. The real employee's paycheck is redirected to the attacker's account, and the employee often doesn't know until payday.

What it looks like
"Hi, I switched banks — can you update my direct deposit info before this Friday's payroll runs?"
Do this → Require employees to confirm direct deposit changes via phone or in person, especially when the request is time-sensitive or arrives close to a payroll cutoff.
8
Gift card request "for clients"
Medium

A lower-stakes but extremely common variant: an email impersonating a manager asks an employee to urgently purchase gift cards "for a client gift" or "team appreciation," then send the codes by photo or email. Gift cards are functionally untraceable once the codes are sent.

What it looks like
"Can you grab five $200 Amazon gift cards for a client thing? Send me the codes when you have them, I'll explain later."
Do this → No legitimate business reimbursement process involves photographing gift card codes and emailing them. Treat any such request as fraudulent by default.
Spotted one of these patterns? Paste the sender, domain, and message into PaySentinel for an instant risk assessment.
Check the email →

Notable Documented BEC Cases

These are publicly reported cases that illustrate how BEC attacks work in practice. The patterns in every one of them match the scenarios above — which is why they're worth understanding before assuming it can't happen to you.

$37M
Loss
Toyota Boshoku Corporation — Vendor impersonation
A third-party attacker posing as a trusted business partner emailed Toyota's parts subsidiary finance team, requesting a change to payment account details and citing urgency around parts production. The team updated the details and transferred approximately $37 million to a fraudster-controlled account before the fraud was discovered. Classic vendor impersonation via BEC — the request came from outside the organization but impersonated an existing relationship.
$100M+
Loss
Google and Facebook — Fake vendor invoices
Between 2013 and 2015, a fraudster created a fake company with the same name as a real hardware supplier both companies used — Quanta Computer. He sent fraudulent invoices with forged contracts, letters, and corporate seals to the accounts payable departments of both Google and Facebook. Because the requests matched ongoing vendor relationships, employees paid without additional verification. Combined losses exceeded $100 million. The attacker was later convicted. Both companies eventually recovered most of the funds.
$1M
Loss
Save the Children — Compromised internal account
Fraudsters compromised a real employee's email account at the nonprofit and used it to send fraudulent invoices and documents linked to a legitimate project in Asia. Because the email came from a real internal account in an active project context, it bypassed normal scrutiny. Save the Children transferred approximately $1 million before discovering the fraud. They recovered around 90% through their insurance policy — underscoring the value of cyber and crime coverage. This is the compromised internal account variant: the hardest to catch because no domain spoofing is involved.
$60M
Loss
Orion S.A. — Multiple fraudulent wire transfers
In August 2024, the Luxembourg-headquartered chemical company disclosed in an SEC filing that a non-executive employee had been tricked into making multiple outbound wire transfers totaling approximately $60 million to accounts controlled by unknown attackers. The attack targeted a single employee without executive authority — demonstrating that BEC doesn't only target the CFO or CEO. Anyone with payment authority is a target. The company was working with law enforcement to pursue recovery.
🔍 What these cases have in common

None of these required sophisticated malware or a technical breach. Every one exploited a routine payment process — an AP team updating vendor details, a finance employee processing an invoice, a staff member following what appeared to be a normal project-related request. The attack surface is the human process, not the technology. That's why a structured check before payment goes out matters more than any spam filter.

What to Do When You Spot a Red Flag

A red flag doesn't mean the email is definitely fraudulent. It means you need to verify before acting. Here's the process:

If you've already acted on a fraudulent request

Act within the first hour.

If money was wired, call your bank immediately and ask them to issue a wire recall — the chances of recovery drop significantly after the first few hours. If data was shared, notify your IT/security team and consider credit monitoring for affected employees. Then file a report with the FBI Internet Crime Complaint Center at ic3.gov — they have dedicated financial crime units that handle BEC and wire fraud.

Building a Process That Prevents BEC

Individual red flag checks are necessary, but the best protection is a consistent process that makes BEC structurally harder to execute.

Frequently Asked Questions

What is business email compromise (BEC)?

Business email compromise is a scam where an attacker impersonates a trusted contact — an executive, vendor, or coworker — usually by email, to trick someone into sending money or sensitive information. It often involves a compromised or spoofed email account rather than malware, which makes it harder for spam filters to catch.

How is BEC different from phishing?

Phishing typically casts a wide net with generic emails trying to steal credentials or install malware. BEC is targeted and personal — the attacker has researched the company, knows real names and relationships, and crafts a specific request that looks routine.

BEC emails rarely contain malicious links or attachments, which is part of why they evade technical spam filters and require human judgment to catch.

Why do BEC attacks target small businesses specifically?

Small businesses often lack dedicated fraud teams, dual-approval requirements, or formal verification processes for payment changes. A single employee frequently has authority to approve a wire transfer alone, which is exactly the gap BEC attacks are designed to exploit.

Can BEC happen without my email being hacked?

Yes. Many BEC attacks use a lookalike domain rather than compromising your actual account — registering a domain that looks nearly identical to a real one. The attacker never needs access to anyone's inbox; they just need the recipient not to notice the domain is slightly wrong.

What should I do if I think I received a BEC email?

Do not reply to the email or call any phone number included in it. Verify the request through a separate, previously known communication channel — a phone number from your records, not the email signature.

If you already sent a payment, call your bank's fraud line immediately to request a wire recall, then file a report with the FBI's IC3 at ic3.gov.

How PaySentinel Catches These Automatically

Most of the patterns above require manual research — checking domains, calling vendors, comparing routing numbers. PaySentinel automates the pattern detection so you catch these faster and more consistently, even on busy days when manual checks get rushed.

Here's which signals the email and vendor checks cover automatically:

Signal PaySentinel detects? How
Lookalike / typosquat domain ✓ Yes Checks the sending domain against known typosquat patterns and flags suspicious lookalikes
Routing number changed ✓ Yes Compares against your vendor history in local memory — flags any change from prior analyses
Urgency / pressure language ✓ Yes Detects urgency, secrecy, and pressure phrasing patterns common to BEC emails
Secrecy requests ✓ Yes Flags language asking the recipient to keep a request confidential from coworkers
Amount near approval threshold ✓ Yes Flags amounts suspiciously close to common single-approver limits
ABA routing number validity ✓ Yes Runs ABA checksum validation on any routing number submitted
Unreachability claims Partial Flagged as part of urgency-language detection, but verifying reachability is still on you
Compromised internal account, mid-thread Manual step Requires phone verification — PaySentinel can't verify whether a real coworker's account was compromised
Gift card / non-wire requests Manual step Run the request through the Email tab to check for BEC language patterns even when no bank transfer is involved
✓ How to use PaySentinel for email and BEC checks

Open the Email tab in the app. Paste in the sender's email address, the subject and body text, and any details about the request. PaySentinel runs the check and returns a risk score with specific red flags and recommended next steps — the whole process takes under a minute.

From the guide to the tool

Every pattern in this guide — lookalike domains, urgency language, secrecy requests, structuring amounts, routing number changes — is something PaySentinel checks automatically when you paste in a suspicious email or payment request. The point isn't to replace your judgment. It's to give you a structured second opinion before money leaves the account, consistently, even on the days when manual review gets rushed.

Check a suspicious email now

Paste in the sender, domain, and message — PaySentinel checks for BEC language patterns, lookalike domains, and structuring signals, and gives you a risk score in under a minute. Free for small businesses.

Check an email free →