BEC is when cybercriminals pose as someone you trust—your boss, your lawyer, your vendor—to trick you into handing over money or sensitive info. They study your habits, mimic your contacts, and wait for the perfect moment to make their move. 

Here’s a quick summary of how each attack strategy operates:

BEC is constantly evolving. Check out the latest business email compromise trends:

• AI-style cloning: They’re using AI to sound exactly like your boss. 

• Fake invoice schemes: Forged invoices look like they're from trusted vendors, but direct payments to a bogus account.

• QR code attacks: Embedded QR codes in emails to send victims to phishing sites or trigger malicious downloads.  

• Conversation hacking: Attackers take over legitimate email threads to steal sensitive information or manipulate employees into taking certain actions. 

This isn’t your grandma’s Nigerian prince scam. It’s Ocean’s Eleven but with Gmail. To give you a taste of how these high-stakes cons play out, here are 10 real-life business email compromise examples.

1. Toyota Supplier: $37 million BEC attack 

In 2019, a Toyota supplier fell victim to a $37 million BEC attack. A third-party hacker, impersonating a business partner of one of Toyota’s subsidiaries, sent emails to finance and accounting teams requesting that funds be transferred to an account under their control. This type of attack is commonly referred to as a vendor email compromise (VEC).

2. Ubiquiti: $46.7m vendor fraud 

Ubiquiti, a networking company, was hit in 2015 with a massive $46.7 million loss involving fake vendor impersonations. The attack impersonated emails and made fraudulent requests from an external source, tricking the finance department into approving transfers to overseas accounts controlled by third parties.

3. Facebook and Google: $121m BEC scam 

Hard to believe, but tech giants like Facebook and Google were duped by a phishing attack that cost them over $121 million between 2013 and 2015. Evaldas Rimasauskas posed as an external vendor, sending emails with convincing invoices to company staffers requesting payment. Once the companies wired the money, he quickly moved the funds to various bank accounts around the world.

4. Fraudsters swipe $2.8 million from Grand Rapids Public Schools in Michigan

Grand Rapids Public Schools in Michigan lost $2.8 million. Scammers accessed the email of  the district’s benefits coordinator, using it to intercept communications and redirect the district’s insurance payments into a different account.

5. CFO impersonator swindles Children’s Healthcare of Atlanta out of $3.6 million

In 2018, Children’s Healthcare of Atlanta was hit when a fraudster impersonated the CFO. The scammer tricked the hospital’s accounts payable department into updating the bank account details on file, resulting in a $3.6 million transfer to a fraudulent account.

6. Real estate developer scammed for €38 million

A real estate firm was swindled out of €38 million by an international group of fraudsters using social engineering tactics in 2021. The scammers impersonated lawyers, gaining the firm's trust by pressing for a confidential and urgent wire transfer.

7. Building deception: $793,000 stolen from church’s construction fund

A scammer took advantage of a North Carolina church's new construction project, stealing $793,000 in 2022. Posing as the contractor, the fraudster subtly altered one letter in the email address to redirect the funds into their own hands.

8. Cybercriminals steal $11.1 million from Medicare and Medicaid

In a targeted BEC attack, cybercriminals impersonated trusted figures to target the government healthcare programs Medicare and Medicaid. By spoofing emails, they successfully diverted $11.1 million into fraudulent bank accounts.

9. Save the Children: $1 million

Save the Children lost $1 million in 2017 when fraudsters got into an employee’s email account and impersonated a staff member. Using fake invoices and email requests, they convinced the charity to transfer the funds.

10. Guillermo Perez: $2.2 million

Between 2018 and 2019, Guillermo Perez orchestrated a BEC scam that defrauded several victims out of $2.2 million. He allegedly impersonated individuals and businesses in routine financial transactions, convincing victims to wire money into accounts he controlled alongside his accomplices.

Stopping BEC is about street smarts and systems. Here’s what you can do:

• Verify requests: Always call or use known contacts to double-check money moves.

• Two pairs of eyes: Set approval tiers for transfers, especially over a certain dollar amount.

• Train your people: Teach your team to smell a scam before it lands. The Huntress Managed Security Awareness Training can help with that.

• Invest in email security: Get tools that flag impersonations and fishy senders.

Don’t trust. Verify. Always.

BEC scams knock, smile, and ask politely to rob you. These attacks work because they prey on trust, timing, and familiarity. Your best defense against them isn’t fear, but strategy. Create habits that slow things down, require verification, and eliminate easy targets. Because when a BEC hits, you lose trust, reputation, and time. And that’s a price no one wants to pay.

We understand what threats like credential theft and unauthorized access mean for your business, and we’re here to help. Huntress has you covered with managed identity threat detection and response (ITDR), protecting identities across your organization 24/7.