The BEC Reality Check: How to Spot and Stop Email Fraud

| Posted on |

The BEC Reality Check How to Spot and Stop Email Fraud

Article summary: Business email compromise (BEC) is the most financially damaging cybercrime targeting small businesses today. Attackers impersonate trusted contacts and exploit normal business routines to redirect payments and steal data. A short, repeatable checklist of the right questions before acting on any unexpected email is one of the most effective defenses your team can have.

A message lands in your inbox that feels routine. It looks like it’s from your vendor. 

It’s got the right name, the right company, even a reference to the invoice you’ve been working on together. The only ask is to update the payment details before the end of the day.

That’s a business email compromise (BEC). And it’s designed to be exactly that believable.

BEC isn’t mass phishing. It’s targeted, researched, and built to look like something you’d expect. Getting email security for small businesses right means knowing what to look for — and having a few non-negotiable habits before you act on any unusual request.

What Is Business Email Compromise?

BEC is a fraud scheme where attackers impersonate a trusted contact and use that trust to get someone to send money or share sensitive information. 

Sometimes they spoof an email address to look legitimate. Sometimes they actually compromise a real account first, monitor ongoing conversations for weeks, then insert themselves at exactly the right moment.

The scale is staggering. 

According to the FBI’s Internet Crime Complaint Center, BEC has cost businesses and individuals nearly $55.5 billion globally over the past decade, across more than 305,000 incidents.

These attacks succeed precisely because they skip the hallmarks people associate with scams. There are no suspicious links, no obvious typos, and no strange attachments. Just an email that looks routine.

The Silent Warning Sign Most Businesses Miss

Here’s the most overlooked symptom of a BEC attack already in progress: you stop receiving certain emails.

When attackers compromise an email account, one of their first moves is to create hidden inbox rules. 

These rules automatically redirect or delete incoming messages so the real account owner never sees the replies that might tip them off.

According to Palo Alto Networks, attackers routinely use inbox rules to “hide security alerts or vendor replies” while running fraud from inside a compromised account. 

If someone on your team has noticed a drop in expected emails, that’s worth investigating before anything else.

The BEC Checklist

BEC exploits urgency and trust. Taking 60 seconds to run through these checks costs nothing.

Were you expecting this email?

Unsolicited contact deserves extra scrutiny, especially if it involves money, account changes, or sensitive data. Attackers often frame messages as if they’re resuming an existing conversation even when none exists. 

If the context feels slightly off, trust that instinct.

Does the sender’s name match the actual email address?

Look past the display name. A message might show the correct name in the From field, but the actual sending address is from a completely unrelated domain. 

Click or hover on the name to reveal the real address. If the name and the domain don’t line up, don’t act on it.

Does the domain have any subtle tweaks?

Attackers register lookalike domains that pass a casual glance: “csolutionsit.com” becomes “csolutions-it.com” or “csolutioonsit.com.”

CSO Online notes that swapped characters, added hyphens, or slightly misspelled domains are among the most reliable signs of a BEC attempt. 

Always read the full address, not just the first few characters.

Does the link URL go where it claims?

Before clicking any link, hover over it and look at the actual web address that appears. 

Does it match where you’d expect to land? A link labeled “Review Invoice” that resolves to an unrecognized domain is a red flag. When in doubt, go directly to the website yourself rather than clicking through.

Is there urgency, secrecy, or a sudden change to payment details?

“I need this today.” “Don’t loop in anyone else.” “We’ve updated our bank account.” These are textbook BEC pressure tactics. 

Real vendors don’t change payment instructions by email without a prior conversation. Real executives don’t request urgent wire transfers with no context. If any of those phrases appear, slow down.

If something feels off, just delete it

This isn’t overcaution. It’s the right move. If the message is legitimate and genuinely important, the sender will reach you another way. 

The cost of deleting a real email is almost always recoverable. The cost of acting on a fraudulent one frequently is not.

When You Need to Confirm: Call, Don’t Reply

If you’re genuinely unsure whether an email is real, verify it offline. Call the person using a phone number you already have on file. Do not the number listed in the email itself.

The U.S. Secret Service advises victims and potential targets to “conduct sensitive communication via alternative means” whenever a request involves financial transactions or account changes. 

A real colleague or vendor will understand the check. A scammer will not.

Make this a firm policy for any payment above a set threshold, any change to banking details, and any request marked urgent that arrived without prior context.

Technical Controls That Close the Gaps

The checklist handles human judgment. A few technical measures reduce how many bad emails reach your team in the first place.

Enable multi-factor authentication (MFA) on all email accounts. MFA requires a second verification step to log in and is one of the most effective barriers against credential theft that enables BEC.

Going passwordless with Microsoft is taking it one step further by eliminating passwords as a vulnerability entirely.

Turn on external sender alerts. Most email platforms can flag messages from outside your organization with a visible banner. It is a one-time setup that gives employees an immediate visual cue before they respond.

Block automatic forwarding to external addresses. This prevents the hidden inbox rule problem at the source. In Microsoft 365, this can be set as a default policy across all accounts.

Audit inbox rules quarterly. It takes a few minutes to check whether any forwarding or redirect rules exist in your accounts that nobody intentionally created. Add it to your regular IT review calendar.

Don’t Let One Email Derail Your Business

BEC works because your team is professional and responsive. The goal isn’t to make everyone paranoid. It is to give them a short, consistent habit that catches the things urgency and familiarity tend to hide.

If you’d like help configuring email security settings, reviewing your Microsoft 365 environment for forwarding rules, or building a simple email verification policy for your team, C Solutions IT can help. We work with small businesses to keep operations running safely without overcomplicating everyday work.

Reach out at csolutionsit.com/contact.

Article FAQs

What is business email compromise (BEC)?

BEC is a type of targeted fraud where attackers impersonate a trusted business contact to trick someone into sending money or sharing sensitive information. 

How do I know if my email account has already been compromised?

One of the clearest signs is that emails you would normally receive seem to go missing or never get a response. Attackers often create hidden inbox rules that redirect or delete messages to cover their tracks. Checking your inbox rules for any you don’t recognize is a quick first step.

What is the most important thing a small business can do to reduce BEC risk?

Enable multi-factor authentication on all email accounts. Most successful BEC attacks involving account takeover are possible because credentials were stolen with no second factor in place. MFA doesn’t prevent every attack, but it closes one of the most consistently exploited entry points.