Skip to main content
Insights & Trends
Blog

Business Email Compromise: How to prevent email fraud

Reading time: 12 minutes

“Urgent bank transfer, please complete today.” – That is the subject line of the email sent by the managing director to the accountant. The tone seems familiar, the email signature is correct and the reason given sounds plausible. The conscientious employee transfers several thousand euros. But the managing director knows nothing about it, because this is not a genuine email, but a case of Business Email Compromise (BEC), a sophisticated and widespread form of cyber fraud. In our blog, you can find out how Business Email Compromise works, how AI exacerbates this cyber threat, and how you can protect yourself against this new generation of email fraud.

mailbox EVAC Blog Business Email Compromise E-Mail-Betrug

What is Business Email Compromise (BEC)?

Business Email Compromise refers to a form of targeted email fraud in which attackers either take over genuine accounts or use deceptively genuine sender addresses to trick employees into carrying out fraudulent actions. The aim is to steal money, data or both.

Alongside ransomware, phishing and DDoS attacks, Business Email Compromise is one of the most financially damaging cyber threats. In Germany, according to the 2024 research report ‘Costs and Damage Caused by Cybercrime in Germany’ by the Federal Criminal Police Office (Bundeskriminalamt), the damage amounted to just under 110 million euros. The reason for the high success rate lies in psychology. BEC attacks exploit:

  • Authority: A message from the managing director or the CFO is not questioned.
  • Time pressure: “Please do this today” leaves no time to think.
  • Trust: Familiar names, correct signatures, plausible contexts and authentic-sounding phrasing.
  • Isolation: You are often asked to handle the matter ‘discreetly’.

CEO Fraud & Co: The most common BEC attack patterns

Business Email Compromise is an umbrella term for various types of email fraud. Here is an overview of the most important ones:

  • CEO Fraud (also known as ‘Fake President Fraud‘):

    CEO Fraud is, so to speak, the classic example of a BEC attack. Attackers pose as senior management and instruct staff in the accounts or finance departments to make urgent bank transfers. They exploit employees’ loyalty and trust and put the victims under time pressure to bypass standard security procedures.

  • Invoice fraud:

    This involves forging supplier emails and phone calls (‘Vendor impersonation‘) or genuine accounts are compromised in order to persuade employees to transfer funds to alternative bank accounts – either for payments that are actually due or for services that were never provided. Here, too, pressure is applied, for example through conspicuously short payment deadlines or the threat of debt collection proceedings and debt collection agencies.

  • Identity theft involving lawyers or consultants (‘Lawyer Impersonation‘):

    In this scheme, cyber fraudsters assume the identity of an external individual who possesses information about confidential internal processes and projects. Here, too, the aim is to persuade staff to make bank transfers.

  • Data fraud or data theft (‘Data Theft via BEC‘):

    In this type of cyber fraud, the specific aim is to steal data rather than money. The aim is to trick employees into sharing confidential data – such as HR and payroll data, login credentials, invoices and tax documents – in order to use this to launch larger-scale cyberattacks.

Email fraud in the age of AI and deepfakes

Until recently, Business Email Compromise could often be identified by certain details: unusual phrasing, a slightly different sender address, or a voice on the phone that sounded strange. Artificial intelligence has partially eliminated these tell-tale signs, and deepfakes such as voice cloning make them significantly harder to spot than before.

AI is thus taking email fraud to a whole new level of threat. According to the loss statistics report by Allianz Trade, losses from CEO fraud have tripled since 2024. The Federal Criminal Police Office (Bundeskriminalamt) also warns of this development in its ‘Federal Cybercrime Situation Report 2025’.

Attackers now use AI to combine multiple channels: an AI-generated email is followed by a vishing call with a cloned voice; in extreme cases, even a deepfake video call. The very factors that enable small and medium-sized enterprises (SMEs) to operate flexibly in their day-to-day business – such as flat hierarchies and short decision-making processes – become a vulnerability, particularly in the case of deepfake CEO fraud.

Key terms

What is social engineering?

BEC does not involve the use of malware; instead, the attackers make use of social engineering. Social engineering is a method that exploits traits such as trust, a willingness to help, fear or curiosity to persuade people to disclose sensitive data, transfer money or grant unauthorised access to IT systems. The combination of social engineering and targeted deception used in BEC attacks is effective across all sectors and organisations of all sizes.

What is vishing?

The term ‘vishing’ combines ‘voice’ and ‘phishing’, meaning phishing via a phone call rather than by email. New-generation vishing attacks make use of AI voice cloning. Instead of a random, generic voice, employees hear a voice that sounds exactly like a person they know, such as their CEO or CFO.

What is email spoofing?

In email spoofing, the attacker forges the sender address of an email, with the result that the message appears deceptively genuine and appears to come from a known contact or a reputable service. Spoofing is easier to carry out if the targeted domain has not implemented strict authentication standards such as DMARC, DKIM and SPF.

How Business Email Compromise works: The four stages of a BEC attack

A typical Business Email Compromise attack unfolds in several stages:

Stage 1: Reconnaissance

Business Email Compromise does not require malware, but it does require thorough preparation. Attackers research publicly available information, such as LinkedIn profiles, legal notices, press releases or organisational charts. The aim of this first phase is to understand who communicates with whom, who authorises payments and who responds to instructions from senior management.

With the help of AI, vast amounts of public data can now be analysed automatically – including social media posts, conference videos, podcast appearances and press photos. Audio and video material of senior executives – for example, from presentations, interviews or corporate videos – provides the raw material needed for subsequent voice or image cloning. Just a few seconds of publicly available voice recording are enough to replicate a voice with astonishing realism.

Phase 2: Manipulation via email spoofing, vishing or account compromise

Either a genuine email account is compromised through phishing, weak passwords or a lack of multi-factor authentication (MFA), or the sender’s address is forged using email spoofing.

Whilst phishing emails used to be easily recognisable by spelling mistakes or awkward phrasing, AI language models now make even this step easier: phishing emails designed to steal login credentials can be created in flawless, authentic German. The same applies to vishing.

Phase 3: The actual BEC attack

Using the previous steps, the attackers strike. They choose their timing and context carefully: just before holidays, on a Friday afternoon or during periods of high workload, the deceptively genuine-looking email or the phone call with the cloned voice reaches the victim.

In particularly elaborate cases, a video call is even included, in which not only the voice but also the face is synthetically generated in real time. This combination of multiple channels increases the psychological pressure on the victim: an email on its own can still be questioned, but a phone call featuring the supposedly familiar voice of senior management is much harder to doubt.

Phase 4: Money laundering or data exfiltration

Transferred sums are immediately channelled on – often across several countries. Depending on the timing and nature of the transfer, it is difficult or even impossible to reverse a transfer made as a result of email fraud. This final phase, too, is now increasingly automated: AI-powered systems distribute funds in a matter of seconds across numerous accounts and cryptocurrency wallets in various countries to cover their tracks and hinder investigations. The speed at which this happens often leaves banks and authorities with no time to stop a transaction.

Important: The opportunities that artificial intelligence offers attackers today make prevention all the more important.

Recognising email fraud: How to protect your business

By implementing the right technical and organisational measures, you can significantly reduce the risk posed by business email compromise and AI-powered fraud attempts:

Technical safeguards

  • Email authentication with DMARC, DKIM and SPF:

    DMARC (Domain-based Message Authentication, Reporting & Conformance), DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework) are fundamental safeguards against email spoofing. Ensure that these standards are fully and correctly configured so that attackers cannot exploit your domain for CEO fraud without being detected.

  • Multi-factor authentication (MFA) for all email accounts:

    MFA helps to prevent a significant proportion of BEC attacks that rely on compromised login credentials. Precisely because AI-powered phishing emails are so convincingly worded these days, the likelihood of employees entering their login credentials is increasing. This makes multi-factor authentication even more important. You should therefore adopt “No account without a second factor” as your email security principle.

  • Anomaly detection and alerting:

    Modern email security solutions detect unusual patterns, such as logins from unknown locations, suspicious forwarding rules or mass downloads of mailbox contents. They utilise AI to identify linguistic anomalies, atypical communication patterns or irregularities in writing style and metadata. This protective measure gives you a head start: if you are alerted at an early stage, you can intervene before any damage occurs.

  • A robust email infrastructure as the foundation of security:

    If your email communication runs on an infrastructure with high security standards, data stored exclusively in Germany or Europe, transparent security configuration options and no dependencies on US hyperscalers, this further enhances your control over your data.

This is how mailbox ensures your security

Email security at mailbox
Schloss

Organisational protective measures

  • Regular training and simulations:

    Employees are the gateway for cyber fraud. This makes them the most effective line of defence – provided they are well prepared. Regular BEC, voice and deepfake simulations, along with training on recognising social engineering, measurably increase the detection rate of vishing and similar attacks.

  • Clear communication protocols:

    Set out which requests may be made by email and which may not. Who is authorised to authorise payments, and via which channel? Which types of payment instructions are never authorised exclusively by telephone or video call, regardless of how convincing the voice or image may seem? The clearer these rules are, the easier it is to spot deviations – and thus (AI-powered) BEC attacks.

  • Dual-control principle for payments:

    Do not authorise any payment order above a defined threshold without a second approval. This principle must also apply even if an instruction appears to have already been verified (e.g. via a phone call); otherwise, a convincing voice clone in a vishing attack could circumvent precisely this second level of control if staff believe verification has already taken place. The dual-control principle helps you prevent the majority of BEC-related losses in the areas of CEO fraud and invoice fraud.

  • Obligation to call back in the event of unusual enquiries:

    If the accounts department receives an unusual instruction – even if it appears to come from senior management – the following rule should apply: Under no circumstances should you confirm by replying to the same email; always verify by telephone.

Caution regarding call-back rules and vishing: Caution is advised due to the increasing number of AI-assisted fraud attempts. Call-back verification can become less effective if not only the email is forged, but the voice on the other end of the line is also cloned. You should therefore supplement the measures described with additional verification steps, such as code words and security questions, or tests during video calls – which many deepfake tools still fail at today – for example, asking the person to briefly hold their hand in front of their face or turn their head.

Why government bodies, local authorities and public administrations are in the spotlight

Business Email Compromise affects companies, but it is not solely a problem for the private sector. Public administrations, local authorities and government bodies are also attractive targets for cyberattacks via email:

1. Publicly documented processes

Anyone who knows how an authority communicates internally or what payment schedules apply to projects can create deceptively genuine enquiries.

2. Lack of cybersecurity resources

Many public authorities lack the technical and human resources required for effective IT security. This also affects security training for staff.

3. High transaction volumes

Whether it’s subsidy payments, construction costs or grant funding: transaction volumes in the public sector are often very high.

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) therefore explicitly recommends that public authorities and administrative bodies make the implementation of email authentication standards such as DMARC, DKIM and SPF mandatory, and regularly train staff to recognise cyberattacks.

Business continuity following a cyber attack

Whether through traditional business email compromise or using deepfakes, even well-prepared organisations can fall victim to a BEC attack. If internal systems or communication channels need to be isolated as a result, the question arises as to how your organisation can still remain operational. As part of your Business Continuity Management (BCM), you must ensure that critical communication processes continue to run even if the primary infrastructure is compromised or temporarily unavailable in the wake of an incident.

This also applies to scenarios in which the communication channels themselves become a weapon: If an email account has been compromised, a voice cloned or a video call spoofed, it is often only after a thorough investigation that it can be determined which internal systems are still trustworthy and which need to be isolated as a precaution. It is precisely during this phase of uncertainty that the extent of the damage caused by an attack is determined. If you are then left without a reliable communication channel, you lose time and the ability to investigate the incident in a coordinated manner.

In this context, business continuity specifically means: maintaining communication, when the primary communication system cannot or must not be used, for example because it is unclear whether an account remains under the attackers’ control. To do this, you need a system that is completely independent of the compromised primary system and secondary communication platform that is ready for immediate use, enabling you to coordinate crisis management without having to rely on channels that may have been compromised. Only then can you keep staff, customers, authorities and partners informed and facilitate forensic analysis and incident response.

Ensure business continuity: Organisations that neglect this aspect lose valuable time after a BEC or deepfake attack when it comes to minimising damage and restoring trust.

Conclusion: You can protect yourself against Business Email Compromise

In the various forms of BEC, attackers exploit deeply human traits and capitalise on the fact that email is generally regarded as trustworthy. By combining the following measures, you can minimise your organisation’s vulnerability:

  • Technical safeguards that make email spoofing and account takeovers more difficult (SPF, DKIM, DMARC, MFA),
  • organisational processes that intercept suspicious requests before they cause damage,
  • regular, AI-informed staff training, enabling employees to recognise email fraud,
  • a secure, GDPR-compliant email infrastructure, which offers no unnecessary vulnerabilities,
  • and a business continuity strategy that ensures operations continue even in the event of an emergency.

How can your business remain operational in an emergency?

Learn more now
EVAC Button

Insights & Trends

Discover more articles on the topic of security.
All articles
mailbox Blog Kostenlose E-Mail-Anbieter Datenschutz Wechsel
Best practice, Data protection

Free email: What Gmail and the like really cost

Read more about Free email: What Gmail and the like really cost
You can see a young man with short hair and a beard. He is wearing glasses and a shirt. The young man is sitting at a desk in an office, with a laptop in front of him and a notepad and smartphone on the table. The man smiles directly into the camera.
Data protection

GDPR violations: 5 common mistakes to avoid

Read more about GDPR violations: 5 common mistakes to avoid
mailbox Mail: Übersicht des Posteingangs

At a glance: Overview of all modules

To the overview →
mailbox EVAC Blog Business Email Compromise E-Mail-Betrug

Business Email Compromise: How to prevent email fraud

Learn more →
mailbox
Start now