You don't need to be a large company to get hit by business email compromise. Small businesses are actually the primary target — and most have no idea until the money is already gone.
The FBI has tracked $51 billion in total exposed losses from business email compromise. It accounts for nearly three quarters of all reported cyber incidents. And unlike most cybercrime, it doesn't rely on malware, ransomware, or technical exploits.
It relies on trust. And trust is something small businesses have in abundance.
What business email compromise actually is
Business email compromise, or BEC, is a category of attack where criminals impersonate someone you trust — an executive, a vendor, a colleague, a client — and use that impersonation to get you to send money or sensitive information.
There are no malicious attachments. No suspicious links. No obvious red flags. Just an email that looks like it came from someone you work with, asking you to do something that seems routine.
The request might be to approve a wire transfer. Update a vendor's banking details. Process an urgent invoice before the end of the day. Share employee payroll information for a tax filing. Each of these has cost real businesses real money — often tens of thousands of dollars in a single transaction.
The average successful BEC wire transfer request sits at $24,586. Some are much larger. And nearly 41% of all BEC attacks target small and mid-sized businesses specifically.
Why small businesses are the primary target
This is the part most small business owners don't expect. BEC isn't primarily a large enterprise problem — it's a small business problem.
Large companies have finance teams with formal approval processes, dual authorization requirements, and dedicated security staff. Small businesses move faster, trust each other more, and often have one person handling everything from vendor relationships to payment approvals. That informality is an efficiency advantage and a security liability at the same time.
Attackers know this. They know that at a ten person company, the person who gets an invoice is often the same person who pays it. They know that a request from the CEO carries weight and rarely gets questioned. They know that urgency works.
Business email compromise rose 60% between January and February 2025 alone. The growth isn't slowing down — it's accelerating, driven almost entirely by AI making attacks faster to build and harder to distinguish from legitimate emails. Darktrace
The four most common attack types
CEO fraud. An attacker impersonates your CEO or a senior executive and emails someone in finance with an urgent wire transfer request. The email references a real deal, a real project, or a real relationship. It asks for discretion. It creates urgency. And it asks for action before anyone has time to verify.
Vendor impersonation. An attacker impersonates one of your regular vendors and sends updated banking details for an upcoming payment. The email looks like it came from a contact you've worked with for years. The invoice amount is plausible. The only difference is where the money goes.
Account compromise. This is the most sophisticated variant. An attacker gains access to a real email account — yours, a vendor's, a colleague's — and monitors real conversations for weeks. They wait for the right moment, then insert themselves into an existing email thread with fraudulent payment instructions. The email comes from a real address, references real conversations, and arrives at exactly the right time.
Payroll and HR fraud. An attacker impersonates an employee and contacts HR or payroll requesting a change to their direct deposit information. The next payroll run sends that employee's salary to the attacker's account instead.
Why your email filter won't catch it
This is the structural problem with BEC. Traditional email security tools — spam filters, gateway protection, even sophisticated enterprise email security — are built to catch technical threats. Malicious attachments. Known phishing domains. Suspicious links.
BEC doesn't have any of those. It's a well-written email from what looks like a trusted address, asking for something that sounds plausible. There's nothing for a filter to flag. 50% of all BEC attacks evade secure email gateways entirely. Darktrace
The defense isn't technical. It's procedural. [link to invoice post, anchor text: "we covered the specific red flags for fake invoice emails in detail here"]
What actually stops BEC attacks
The most effective defense against business email compromise combines smart processes with the right tools. Neither alone is enough.
On the process side:
Dual authorization on any payment above a threshold you set. No single person should be able to approve and execute a significant payment without a second set of eyes. Set a number that makes sense for your business — even $500 — and require two people to sign off on anything above it.
Verbal verification for any change to payment details. If a vendor sends updated banking information, call them on a number you already have before processing any payment. Not the number in the email. A number from your existing records or their official website. This single step would prevent the majority of vendor impersonation attacks.
A standing rule about urgency. Any request that creates artificial time pressure should automatically trigger a verification step, not bypass one. Urgency is the primary psychological lever in BEC. Treat it as a red flag, not a reason to act faster.
On the tools side:
Process catches a lot. But it doesn't catch everything — especially when someone is tired, distracted, or the attack is sophisticated enough to feel completely routine. That's where browser and email-level protection fills the gap.
Haven scans incoming emails and flags suspicious senders, lookalike domains, and anomalies that look legitimate to the human eye but don't add up on closer inspection. It works at the browser level — the exact place where BEC attacks land — alerting your team before anyone acts on a fraudulent request. For a small business without a dedicated IT team, it's the layer that covers what no process alone can catch. We covered the specific red flags for fake invoice emails in detail in our recent blog.
The honest bottom line
Business email compromise works because it exploits normal business behavior — paying vendors, following instructions from leadership, processing routine requests. The attacks are designed to feel routine because routine is what bypasses scrutiny.
The answer isn't to make your team paranoid about every email. It's to build a small number of verification habits that apply to the specific situations where BEC operates — large payments, banking changes, urgent requests, and anything that asks you to act without checking. Those habits cost nothing and stop most attacks before they land.
Read More
Haven scans emails and flags suspicious senders before anyone on your team acts on them — working at the browser level to catch what email filters structurally miss. Download Haven free from the Chrome Web Store or explore Haven for business if you want protection across your whole business.