Business Email Compromise, Explained

What BEC is

Business Email Compromise is the broad term for attacks where the criminal gains access to a business email account — or convincingly impersonates one — and uses that access to redirect money or steal sensitive data. Unlike ransomware, BEC doesn't lock up your systems. It's quieter, often goes undetected for weeks, and the dollar loss per incident is typically much higher.

The FBI's Internet Crime Complaint Center (IC3) consistently reports BEC as the single largest source of cyber-crime losses across all industries. For law firms and CPA practices specifically, BEC is the most common cyber claim filed against professional liability and cyber insurance policies.

How a typical BEC attack unfolds

Most BEC attacks against small professional services firms follow a pattern:

• Step 1: Initial access. A staff member at the firm clicks a phishing email and enters their M365 credentials on a fake login page. Or the credentials are bought on the dark web from an unrelated breach. Either way, the attacker now has access to a real firm email account.
• Step 2: Quiet observation. The attacker sets up inbox rules — forwarding incoming wire-related emails to themselves, auto-deleting replies — and watches. They learn the firm's clients, the partner's writing style, the firm's billing cadence, who handles trust accounts. This can last days or weeks.
• Step 3: The strike. At the right moment — typically when the partner is in court, traveling, or otherwise unavailable — the attacker sends an email impersonating the partner to the firm's bookkeeper or paralegal: "Please wire $43,000 to this new trust account vendor by end of day, I'll explain when I'm back." Or, in CPA cases: "Forward me the client's tax returns for the year, I need them for the meeting."
• Step 4: The money moves. The bookkeeper, trusting an email from "the partner" they recognize, executes. The wire is gone within hours and is rarely recoverable. The tax returns, once forwarded, are used for identity theft or tax fraud at industrial scale.

Why professional services firms are the prime target

Three reasons:

• The money is real. Law firms hold trust account funds. CPAs handle client refunds and payment routing. Wires are routine. A wire to a "new vendor" doesn't raise the alarm it would at a manufacturing company.
• The data is valuable. Tax returns, financial statements, personal identifying information — these are sellable on the dark web for hundreds of dollars per record, or used directly for tax-return fraud.
• The team is small and trust-based. A 10-person firm doesn't have a fraud department. The bookkeeper trusts the partner. The paralegal trusts the senior attorney. BEC exploits exactly this trust.

The three controls that stop BEC

These are not 100% protections, but each one knocks out a class of attack:

• 1. MFA on every account. Stops the initial access. If the phished credentials don't work because MFA is required, the attack ends at Step 1. (See our MFA article for what this looks like in practice.)
• 2. Email authentication (SPF, DKIM, DMARC). Stops the impersonation. With proper DMARC enforcement on your domain, an external attacker can't send email that appears to come from "@yourfirm.com" — the recipient's email server rejects or quarantines it. Many small firms have SPF configured but no DKIM and no DMARC enforcement policy, which leaves the door open.
• 3. Anti-phishing controls in Microsoft 365 Defender (or equivalent). Stops the inbox infiltration. Defender for Office 365 (included in M365 Business Premium) can detect impersonation patterns, scan attachments and links, and flag emails that mimic internal senders. Properly tuned, it catches 90%+ of BEC attempts before they reach the inbox.

The wire-transfer policy every firm should have in writing

Technical controls reduce risk but don't eliminate it. The last line of defense is a written firm policy that:

• Requires verbal confirmation for all wire transfers above a threshold (e.g., $5,000) — phone call to a known number, not a number from the email itself.
• Requires the same verbal confirmation if a recipient's wire instructions change — even if the email asking for the change appears to come from a long-standing client.
• Designates a single approver for trust account wires with a clear backup if they're unavailable.
• Includes a "no-rush" rule: if an email asking for a wire transfer urges secrecy or speed ("don't tell anyone, I need this by 4 PM"), the policy is to escalate, not execute.
• Is reviewed annually and included in new-hire onboarding, so it's not just a document — it's actually known by everyone who could be targeted.

Most BEC attacks succeed not because the firm had no technology, but because the firm had no written policy and the targeted staff member trusted the email. A two-page wire policy, reviewed and signed by everyone on staff, is the single most effective non-technical defense.

What to do if you suspect BEC right now

If you have any reason to believe an account has been compromised — unexpected forwarding rules, password reset emails you didn't request, missing emails, vendor calling about a "new" wire instruction — stop and call IT immediately. Don't continue using the account. Don't reply to suspicious emails from it. The first 24 hours determine whether the attacker still has access or not.

The FBI also asks BEC victims to file a report at ic3.gov as quickly as possible — there's a "Financial Fraud Kill Chain" the FBI can sometimes activate to recover funds, but only if the wire is reported within hours.

Where Verta IT comes in

BEC defense isn't one tool — it's a stack of controls plus a written policy plus periodic awareness training. Verta IT configures MFA, SPF/DKIM/DMARC, Defender for Office 365, and inbox rule auditing as part of every Essential, Professional, and Premium engagement. We also help firms draft the wire-transfer policy and roll out phishing-simulation training so the staff know what BEC looks like before they see it for real.

Schedule a Free IT Assessment

This article is informational and does not constitute legal, insurance, or financial advice. For incident response after a suspected BEC, engage qualified counsel and your insurance carrier immediately.