The $2.8 Billion Email: How Business Email Compromise Actually Works, and the Four-Minute Habit That Stops It
How business email compromise redirects legitimate payments—and the simple callback policy that can stop most attacks before money leaves.
In April 2025, the FBI's Internet Crime Complaint Center released its annual report on cybercrime — and buried inside 30 pages of numbers is one that every business owner should know by heart. In 2024 alone, businesses reported $2.77 billion in losses to business email compromise to the FBI [1]. Since 2015, cumulative reported losses from this single type of scam have crossed $17.1 billion [2].
Here's the part that matters for you: the average successful business email compromise attack in recent FBI data costs the victim business roughly $137,000 [3]. Not a Fortune 500. A single successful attack on one business, most of them small or midsize.
And the worst part isn't the number. The worst part is how ordinary the attack looks.
What business email compromise actually is (in plain English)
Ignore the acronym for a second. Business email compromise — BEC — is the family of scams where someone sends your business an email that looks legitimate and convinces someone on your team to send money to the wrong place. That's it. No malware, no hacking in the movie sense. Just a well-crafted email arriving at the right moment.
The three most common flavors, all documented extensively in the FBI's 2024 report:
1. The vendor invoice switch. A vendor you actually use emails to say they've updated their bank account information. The email looks right, the invoice format looks right, sometimes the reply address is genuinely from that vendor's compromised email account. You update the wire instructions. The next payment — often the biggest one you send that year — goes to the criminal instead of the vendor. You find out weeks later when the real vendor asks about the missing money.
2. The CEO wire request. An email arrives, apparently from the owner or a senior person, asking someone in accounting to wire money for a time-sensitive deal, closing, tax payment, or acquisition. The tone is urgent. The wire instructions are attached. "Please don't discuss this with anyone until it's done." The person sending it isn't your boss.
3. The payroll or direct-deposit change. An email that looks like it's from an employee (typically one on the road or working remotely) asks HR or payroll to redirect their direct deposit to a new bank account. The next paycheck lands in a criminal's account. The FBI specifically called out real estate and payroll fraud as significant contributors to 2024 losses [4].
None of these look like scams. That's the whole point. The FBI's operations director for cyber called email attacks "the most pervasive threat" businesses face — not because they're sophisticated, but because they exploit trust, urgency, and routine [1].
Why it works — and why it's getting worse
Business email compromise attacks bypass the technology defenses most companies rely on. There's no malicious attachment for antivirus to catch. There's no suspicious link for the email filter to block. There's just an email that reads like every other email, arriving at a normal time, asking for something that sounds reasonable.
Two 2024–2025 trends have made this dramatically harder:
- Attack volume grew 54% between 2023 and 2024, driven substantially by generative AI making it trivial to write clean, professional, on-tone emails that impersonate a specific colleague or vendor [5].
- Wire recall is a race against the clock. The FBI's Recovery Asset Team was able to freeze funds in 66% of cases where the victim reported the fraud quickly [4]. But "quickly" here means within 72 hours, ideally within 24. After that, the money has typically moved through multiple accounts and is beyond recovery.
That last point is worth pausing on. Most businesses discover BEC fraud when the real vendor emails asking where their payment is — which is often two to four weeks after the wire went out. By then, the money is gone. BEC is fundamentally a race, and the business almost always starts it late.
The four-minute habit that stops most of these attacks
The most important finding across every industry report on BEC — the FBI's, the Association for Financial Professionals' 2025 survey (which found 63% of organizations experienced BEC last year [1]), and every security vendor's analysis — is that the defense isn't technology. It's a callback.
Here's the rule. Publish it as your company's payment policy today. Make it non-negotiable, especially for yourself:
Any change to a vendor's bank account, wire instructions, or payment address must be verified by a phone call to a previously known number for that vendor. Not the number in the email. Not a number provided in the request. The number you already had on file, or one you look up independently.
The same rule applies to any wire transfer over a threshold you set (many businesses use $5,000 or $10,000): before it goes, someone calls the requester at a number they already knew, and confirms. Four minutes on the phone. That's the entire defense.
Why this works when technology mostly doesn't: BEC succeeds because the fraudster controls the email channel. They almost never control the phone channel. The moment you introduce a verification step through a different channel using contact info you already have, the attack breaks — because the criminal has to impersonate a person's voice in real time on a number they don't control.
Six practical policies that go with it
The callback rule is 80% of the defense. The other 20% is closing the gaps that make impersonation easier:
1. Post the "change of bank info requires a callback" rule where your accounting team sits. Print it. Sign it. Every new hire in a payment role reads it. This one policy sitting in writing beats most controls.
2. Establish a "verify large payments" threshold. Whatever number would genuinely hurt your business to lose — $5k, $10k, $25k — wires over that number get called before they send. No exceptions for the boss.
*3. Verify vendor changes using the phone number you already had, not a new one.* This is subtle but it matters: BEC criminals often include a fake "new" phone number in the email announcing the account change. Ignore it. Use the number on the vendor's last real invoice or the one saved in your records.
4. Watch for the urgency tell. Nearly every BEC attempt manufactures time pressure — a deal closing, a tax deadline, a wire that has to go out today. If someone requesting money is telling you not to talk to anyone about it, or that it has to happen right now, that is by itself the flag. Legitimate business almost never requires bypassing your controls in the next 30 minutes.
5. If it happens, move immediately. The FBI is direct about this: the moment you suspect a fraudulent wire, call your bank first (within minutes, not hours) and request a recall, then file a complaint at ic3.gov [6]. Do both. The 66% recovery rate exists because of the FBI's Recovery Asset Team, but it only works for cases reported fast. Every hour of delay costs recovery odds.
6. Watch the money leaving, not just the emails arriving. This is where continuous monitoring of your bank activity matters. Payment fraud has a signature at the bank: a large wire to a new destination, an unusual account, a payment amount that's slightly higher than the historical relationship with that vendor. Automated monitoring tools (Varda among them) exist to catch these signatures nightly and surface them for your review. They don't replace the callback rule — nothing replaces the callback rule — but they do give you a second net for the wire that slipped through despite the policy.
The honest bottom line
BEC is not a cybersecurity problem in the traditional sense. It's a process problem wearing a cybersecurity costume. The FBI's $2.77 billion number keeps growing not because attackers keep getting more sophisticated, but because the same simple attack keeps working against businesses that haven't formalized a verification step.
The businesses that don't lose to BEC are almost never the ones with the fanciest email security. They're the ones where "we always call to verify" is written down, taught to every new hire, and applied to the owner as strictly as to everyone else.
Four minutes on the phone before a wire goes out. That's the whole defense. In a category losing $2.77 billion a year, it's remarkable how simple the fix actually is — and how few businesses have written it down.
---
Sources
[1] Federal Bureau of Investigation, Internet Crime Complaint Center, 2024 Internet Crime Report (released April 23, 2025). Available at ic3.gov/AnnualReport.
[2] Abnormal Security analysis of FBI IC3 historical data, "Why BEC Remains the $2.8 Billion Problem CISOs Can't Ignore" (September 2025).
[3] Abnormal Security, "Key Takeaways from the 2023 FBI IC3 Report" (March 2024), citing average BEC loss per incident of $137,132 in 2023 data.
[4] Proofpoint analysis, "Email Attacks Drive Record Cybercrime Losses in 2024" (May 2025), citing FBI IC3 Recovery Asset Team performance.
[5] Abnormal Security research on BEC attack volume growth (2024).
[6] FBI Internet Crime Complaint Center Public Service Announcement I-091124-PSA, "Business Email Compromise: The $55 Billion Scam" (September 2024). Available at ic3.gov.