How BEC Scams Take Millions & How to Prevent It

Business Email Compromise Scams

I’ve been doing cybersecurity since the early 2000s—hell, I was playing with networking pre-2000, before anything ran over PSTN muxes. But one thing that always remains the same? Cybercriminals are constantly coming up with new ways to dupe people. Business Email Compromise, or BEC, is one of the most sophisticated, least expensive, and most financially devastating scams out there.

I’ve witnessed companies — large ones — lose millions because an employee thought they were adhering to a routine payment request from the chief executive. Spoiler: It wasn’t the CEO.

Quick Take

No time for a deep dive? Here’s what you need to know:

• BEC scams do not use malware, instead they trick people in a impersonated way.
• Phishers impersonate executives or suppliers to solicit payments.
• You need email security plus user awareness — no magic AI solution.
• PJ Networks protects the email system with Fortinet’s BEC protection.

Got five minutes? Let’s break this down.

What is BEC?

Business Email Compromise (BEC) is a category of creative phishing scam in which attackers impersonate executives, vendors, or business partners in order to convince employees to wire funds or provide sensitive data. Unlike traditional phishing, which sprays emails and hopes someone clicks, BEC is targeted — attackers do their homework.

Not convinced that it’s a big deal, still? The FBI’s 2023 IC3 report estimated more than $2.7 billion in reported losses to BEC scams alone. That doesn’t include those that didn’t report.

How Attackers Impersonate Executives

This is the part where it gets ugly. BEC hackers don’t rely on malware and brute force hacking. They instead prey on human trust — and that’s a tougher fix.

Here’s how they do it:

1. Domain Spoofing – Cybercriminals register domains that are identical to real domains with the exception of a few characters (eg: pjnertworks.com instead of pjnetworks.com).
2. Email Compromise – In some cases, an attacker will actually hack a real executive’s email by stealing their credentials (with phishing or weak passwords, usually — don’t get me started on lousy password policies).
3. Social Engineering – They gather intelligence on the inner workings of the company: who approves invoices, vendor relationships, and even work schedules.
4. Urgency and Pressure – Most scams present the request as urgent (e.g., “We need this paid today to close a deal”). Employees have no desire to be the choke point delaying the CEO’s request.

Seen it firsthand. In one case, a mid-sized company’s finance officer received an email from her CEO requesting a vendor payment that looked completely normal. Minor formatting discrepancies in the email did not trigger any alarms. The attacker even signed the email, “Sent from my iPhone” — a detail that gave it the ring of legitimacy. They lost $300K. And that was before they called us in to secure everything.

BEC Prevention Strategies

BEC isn’t like ransomware you install one product and boom you’re good to go. Defense is a transition between layers of security and human response. Here’s what actually works:

1. Email Authentication & Verification
   • DMARC, SPF, and DKIM – Set up email authentication to stop spoofed messages from getting into the mailbox as legitimate.
   • (which we implement at PJ Networks) BEC Protection will prevent intercepting schemes from ever going to inboxes.
2. User Awareness & Training
   • Always confirm payment requests—and unexpected changes to banking details.
   • Educate employees to recognize red flags (slight changes in an email domain, sudden urgency, strange diction in emails).
   • Verify by a second means (pick up the freaking phone and call — not responding to the email).
3. Implement Zero-Trust Access Controls
   • Every major fund transfer should involve more than one decision maker.
   • Only personnel who must handle financial transactions do so (role-based access).
   • MFA for email access is now non-negotiable.
4. AI-Powered Solutions? Meh

   Look, I get it, everybody is trying to sell you some AI-powered BEC prevention at the moment. But don’t believe the hype. AI can assist in investigating aberrations in behaviour or in flagging up emails, but threat actors develop faster than pure-play AI solutions. If someone still gives a manual thumbs-up to the transfer, AI isn’t blocking it.

5. Routine Security Reviews
   • Audit email forwarding rules — attackers love hidden auto-forwarding.
   • Challenge financial workflows—eliminate unnecessary approval chains.
   • Apply SOC monitoring—attackers commonly lurk for weeks before hitting.

Email Fraud Protection from PJ Networks

We have been leveraging Fortinet’s BEC prevention tools for years and with good reason—they get the job done. We set up:

• Domain authentication (SPF, DKIM, DMARC) to protect against spoofing.
• Fortinet’s AI-powered email filtering (not my own AI, but this is my part that I trust AI for) to catch any fishy emails before it reaches the inbox.
• User training workshops — no tech can substitute for employee diligence.
• 24/7 Security Operations Monitoring — We’ll detect if attackers attempt to get into email accounts.

And we are always refining solutions as attackers continuously evolve.

Conclusion

At its core, BEC scams aren’t technical issues — they’re psychological warfare. Attackers don’t need malware when they can simply impersonate your boss. So:

• Secure your email systems.
• Security awareness training: You need to train your employees to verify everything.
• Encourage a layered approach to security controls.
• Quit expecting artificial intelligence to solve human credulity.

And if you’re still getting by on nothing more than spam filters and antivirus… let’s talk before your company ends up in the next FBI report on the biggest BEC losses of the year.

On to my fourth coffee now.