How BEC attacks work
BEC is pure social engineering, not malware. Attackers do their homework: scraping LinkedIn profiles, registering spoofed vendor domains, and studying a company's accounts payable workflow before they ever send an email. In some cases, they skip spoofing entirely and compromise a real vendor's email account, then insert themselves directly into an existing thread, replying from a legitimate inbox the target already trusts with a "quick change" to payment instructions.
Because there's no attachment or link to flag, these emails routinely slip past scanners built to catch malware. That's what makes BEC different from ordinary phishing, and why stopping it depends on human judgment, verification steps, and identity monitoring rather than spam filters alone.
BEC scam example: spoofed domains
A classic version of this attack starts with a domain that looks right at a glance. You might receive an email that appears to come from LegitConstruction.com, but it actually originates from Legit-Construction.com, a lookalike domain with one extra character most people won't notice in a busy inbox. The hacker will also use a friendly display name, something like "Legit Construction Accounts Payable," so the message looks legitimate at a glance in your email client. From there, they email accounts payable with an "updated" bank account for an upcoming invoice payment. The domain looks close enough that nobody double checks it, and the funds go straight to the attacker.
If you believe you've identified or fallen victim to a BEC attack, act fact. Notify your bank, management, and any other involved parties right away so they can attempt to recover any lost funds.