Skip to content
Intro
8 min

Business Email Compromise: How $50K-$250K Walks Out Your Door

BEC scams bypass firewalls and antivirus—your employee just thinks they're helping the CEO.

Last updated: March 20, 2026

A Houma construction company lost $87,000 last year when an accountant wired funds to a spoofed vendor account. The email looked like it came from the project manager. The request was routine—equipment payment, new vendor, please process today. No malware. No suspicious links. Just an email.

That's Business Email Compromise (BEC). And for Gulf Coast SMBs, it's the costliest cyber threat you're probably not talking about.

What BEC Actually Is

BEC is not phishing. Phishing casts a wide net—fake Netflix alerts, lottery scams, bogus password resets. BEC is targeted. Attackers spend weeks researching your company: your vendors, your CFO's name, your project timeline. Then they send one email that looks exactly like it came from someone you trust.

The FBI's Internet Crime Complaint Center reports average BEC losses of $50,000 to $250,000 per incident. For a small contractor, marine services firm, or seafood processor on the Gulf Coast, that's a catastrophic number.

How the Attacks Actually Work

The Fake Vendor Scenario Attacker researches your AP department. Finds your largest vendor. Registers a lookalike domain (e.g., acme-supply.com becomes acme-suppiy.com or acme-supply.net). Sends an email to accounting: "We've changed banks—please update your records and process this payment to the new account." The account number is theirs.

The Executive Request Scenario Attacker compromises or spoofs the CEO's email. Sends urgent request to accounting or HR: "I'm in a meeting, need you to wire $15,000 to this vendor ASAP, will explain later." Employee feels pressure to act fast. Sends the wire. Money's gone in hours.

The Invoice Fraud Scenario Attacker intercepts a real invoice from a real vendor (via compromised email or Dark Web purchase). Modifies the bank account details. Resends it to your accounting team. Payment goes to the attacker. Vendor still expects payment. You pay twice—or not at all and lose the relationship.

The HR Data Request Scenario Attacker poses as the IRS, a benefits administrator, or a lawyer requesting employee W-2s or Social Security numbers. Small businesses hand over this data without question because it seems routine. That data sells for $5-$20 per record on Dark Web marketplaces.

Who Gets Hit

BEC disproportionately targets businesses that:

  • Wire transfer money regularly
  • Have public-facing projects or partnerships (easy research for attackers)
  • Lack multi-person approval for payments
  • Use free email services (Gmail, Yahoo) for business communications
  • Haven't set up email authentication (SPF/DKIM/DMARC)

Gulf Coast industries—construction, marine, oilfield services, seafood, hospitality—are prime targets because they wire money for equipment, charters, fuel, and supplies.

What It Costs

Prevention:

  • Email authentication (SPF/DKIM/DMARC): $0 setup, $0-$50/month for monitoring tools
  • Employee training and phishing simulations: $500-$2,000/year
  • Payment verification policy: $0 (just requires a written procedure)
  • Advanced email filtering: $5-$15/user/month

If You're Hit:

  • Wire transfer recovery: Almost never happens. Banks typically cannot reverse wires once sent.
  • Legal fees for investigation: $10,000-$50,000
  • Forensic accounting: $5,000-$25,000
  • Regulatory notification costs (if employee data was exposed): $1,000-$10,000
  • Lost vendor relationships and goodwill: Priceless

What Can Go Wrong

"We verified it by email" Your accountant replied to the spoofed email address. Attackers monitor those reply chains. Confirmation just told them you took the bait.

"The CEO asked us not to bother him" Social engineering pressure—"don't tell anyone, this is confidential, we need to move fast"—is a red flag. Legitimate urgent requests from executives don't come with instructions to bypass normal procedures.

"It matched our vendor's old email" If a vendor claims they've changed banks, verify by calling the number on your existing records—not the number in the email. Attackers sometimes stay in the email chain for months, building trust before the ask.

"We thought it was spam filtered" BEC emails don't contain malware. They look like normal business emails. Spam filters don't catch them.

Minimum Viable Implementation

  1. Set up SPF, DKIM, and DMARC on your domain. This doesn't cost anything but time. It makes spoofing your domain significantly harder. If you're using Microsoft 365 or Google Workspace, both have built-in wizards for this.

  2. Create a payment verification policy. Any wire transfer over a set threshold (e.g., $1,000) requires verbal or video confirmation from the requestor using a known number—not a number from the email. Written in your employee handbook.

  3. Require two-person approval for wires. No single employee should be able to initiate and approve a payment alone. This takes 10 minutes to set up in most banking portals.

  4. Train employees on BEC red flags. Urgency, secrecy, new bank accounts, requests to bypass normal procedures. Phishing simulations cost $500-$1,500/year through services like KnowBe4 or Cofense.

  5. Verify vendor banking changes directly. Call your vendor's known contact number—not the number in the email requesting the change. Send a confirmation via a different channel (phone call to known number, not email reply).

Vendor Questions (Copy/Paste)

  1. "Does your email service set up SPF, DKIM, and DMARC automatically, or do we configure it ourselves?"

  2. "Can you show us which emails are failing authentication checks on our domain?"

  3. "Do you offer any controls to warn users when an email comes from an external domain that looks similar to ours (e.g., yourcompany.com vs. yourc ompany.com with a space)?"

  4. "What's your process for alerting us if someone tries to send email 'from' our domain without authorization?"

  5. "Can we set up routing rules that flag (not block) emails from lookalike domains for review?"

When to Hire Help

DIY-friendly if:

  • Single email provider (Microsoft 365 or Google Workspace)
  • Fewer than 10 employees
  • Simple payment workflows (one or two people handling finances)
  • Basic understanding of your email admin panel

Get professional help if:

  • You've already received suspicious emails "from" your own domain
  • Multiple employees handle vendor payments or wire transfers
  • You're in a high-target industry (construction, marine services, healthcare)
  • You don't have anyone on staff who can explain what SPF and DKIM do
  • Your bank has flagged unusual wire transfer requests

Warning signs you need help now:

  • Employees receiving emails "from" your CEO asking for urgent wire transfers
  • Vendors claiming they sent you invoices you never received
  • Customers receiving emails "from" your domain that you didn't send
  • No one on staff knows how to check your email authentication settings

Related Reading

7 min · Intro

How Email Impersonation Actually Works

Email impersonation is cheap, easy, and almost impossible to stop without authentication.

8 min · Intermediate

How to Move from Free Gmail to Your Domain Email

Free email makes you look small and makes phishing easy. Here's how to fix both.

7 min · Intro

How to Secure Your Domain Registrar

Domain hijacking is real. Most hijacks happen because the registrar account wasn't protected.

6 min · Intro

Why a Branded Email Address Matters

Free email makes you look small and makes impersonation easy. Here's why to fix it.

7 min · Intro

BEC and Invoice Fraud: How Money Actually Walks Out

Your bookkeeper gets an email from your CEO asking for an urgent wire transfer. It is not your CEO.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch