A business email compromise (BEC) is a digital deception dressed up to impress. It’s clean, calculated, and ready to fool even the sharpest eye. These scammers don’t tell themselves about sloppy hacks. They whisper familiar words, pretending to be your CEO, HR, or trusted salesperson. And, unlike phishing, it’s an accurate claim built-in intel.
Just last year, BEC attacks cost a staggering $2.7 billion, a 12.5% jump compared to 2021. That’s not a small amount of money, it’s a murder. And guess what? Scammers don’t need malware. All they need is your trust.
Let’s break down 10 examples of email compromises that will make you double-check every email in your inbox.
What is sensitive business email?
BEC is when cybercriminals impersonate someone you trust—your boss, your lawyer, your salesperson—to trick you into handing over money or sensitive information. They learn your habits, mimic your contacts, and wait for the right moment to act.
Want to see how these scams play out and how to stay ahead of them? Check out our full analysis of business email compromise tactics and trends.
How is BEC different from phishing?
Here’s a quick summary of how each attack strategy works:
| Phishing crime | Serious business email |
| More emails, same bait | Precision attack, sniper style |
| No real intel | Deep attention and impersonation |
| Fast and sloppy | It’s slow, methodical, deliberate |
| Usually less | A multi-million dollar fraud |
Types of compromising business email (and their new tricks)
BEC is constantly evolving. Check out the latest risk-taking business email trends:
- AI styling: They use AI to sound like your boss.
- Fake invoicing schemes: Fake invoices that appear to be from legitimate vendors, but are direct payments to a fake account.
- QR code attacks: QR codes are embedded in emails to send victims to phishing sites or trigger malicious downloads.
- Chat hacking: Attackers take over legitimate email threads to steal sensitive information or trick employees into taking certain actions.
It’s not your Nigerian grandma’s prince scam. Ocean’s Eleven but with Gmail. To give you a taste of how these high risks play out, here are 10 examples of real-life business email compromises.
1. Toyota Supplier: $37 million BEC attack
In 2019, a Toyota supplier was the victim of a $37 million BEC attack. A third-party hacker, posing as a business partner at one of Toyota’s subsidiaries, sent emails to finance and accounting teams requesting that funds be transferred to an account under their control. This type of attack is often called email vendor compromise (VEC).
2. Ubiquiti: $46.7m merchant fraud
Ubiquiti, a telecommunications company, was hit in 2015 with a massive loss of $46.7 million involving vendor impersonation. The attack masqueraded as e-mails and made fraudulent requests from a foreign source, which tricked the finance ministry into approving transfers to offshore accounts controlled by third parties.
3. Facebook and Google: $121m BEC scam
It’s hard to believe, but tech giants like Facebook and Google were duped by phishing attacks that cost more than $121 million between 2013 and 2015. Evaldas Rimasauskas posed as a foreigner, sending emails with convincing invoices to company employees asking for payment. Once the companies deposited the money, he quickly transferred the money to various bank accounts around the world.
4. Fraudsters swipe $2.8 million from Grand Rapids Public Schools in Michigan
Grand Rapids Public Schools in Michigan lost $2.8 million. Fraudsters accessed the email of a district benefits coordinator, using it to intercept communications and redirect district insurance payments to a different account.
5. Imposter CFO defraudes Children’s Healthcare of Atlanta out of $3.6 million
In 2018, Children’s Healthcare of Atlanta was hit when a fraudster impersonated the CFO. The scam tricked the hospital’s accounts payable department into updating bank account information on file, resulting in $3.6 million being transferred to a fraudulent account.
6. A real estate developer committed a €38 million scam
A real estate company was defrauded of 38 million euros by an international group of fraudsters using social engineering techniques in 2021. Fraudsters pose as lawyers, gaining the company’s trust by forcing confidential and urgent wire transfers.
7. Construction fraud: $793,000 stolen from church building fund
A scammer took advantage of a new construction project for a North Carolina church, stealing $793,000 in 2022. Posing as a contractor, the fraudster subtly changed a single letter in the email address to redirect the funds into his hands.
8. Cybercriminals stole $11.1 million from Medicare and Medicaid
In the targeted BEC attack, cybercriminals were creating trusted statistics to target the federal health care programs Medicare and Medicaid. By spoofing emails, they successfully diverted $11.1 million to fake bank accounts.
9. Save the Children: $1 million
Save the Children lost $1 million in 2017 when fraudsters accessed an employee’s email account and posed as an employee. Using fake invoices and email requests, they convinced the charity to transfer the funds.
10. Guillermo Perez: $2.2 million
Between 2018 and 2019, Guillermo Perez orchestrated a BEC scam that defrauded several victims of $2.2 million. It is alleged that he impersonated people and businesses in the form of ordinary currency, convincing victims to deposit money into accounts he controlled alongside those he worked with.
How to fight back: A smart defense strategy
Setting up BEC is about smart roads and systems. Here’s what you can do:
- Confirm requests: Always call or use known contacts to double check the movement of money.
- Two eyes: Set approval levels for referrals, especially over a certain dollar amount.
- Train your people: Teach your team to sniff out a scam before it hits. Huntress Managed Security Awareness Training can help with that.
- Invest in email security: Get tools that flag phishing and phishing.
Don’t trust. Confirm. Always.
BEC scammers knock, smile, and politely ask to take it away. This attack works because it takes trust, time, and familiarity. Your best defense against them is not fear, but strategy. Create habits that slow things down, require validation, and remove easy targets. Because when BEC hits, you lose trust, reputation, and time. And that’s a price no one wants to pay.
We understand what threats like identity theft and unauthorized access mean to your business, and we’re here to help. Huntress has you covered with managed identity detection and response (ITDR), protecting identities across your organization 24/7.
