Cybercriminals aren’t slowing down; they’re getting smarter. A recent industry report found that Business Email Compromise (BEC) attacks surged by 37% in just over a year, from May 2024 to June 2025. That’s not a small uptick: that’s a sign that attackers are finding success and doubling down. If your business relies on email to communicate with clients, vendors, or employees (and whose doesn’t?), this is a wake-up call.

BEC attacks are not your typical phishing scams. They don’t rely on mass spam campaigns or clumsy one-off emails. Instead, they involve highly targeted, socially engineered attacks designed to trick your team into transferring money, sharing sensitive data, or revealing login credentials. Think of them as cyber-fraud mixed with impersonation: attackers often compromise or spoof a real mailbox and then send what appears to be a legitimate email--sometimes even from a known executive.

Why the surge? The answer lies in attackers’ return on investment. Unlike ransomware, which is noisy and risks triggering incident response, BEC is relatively quiet. It requires little to no malware – meaning it often evades traditional antivirus or endpoint security tools. Attackers have figured out that manipulating human trust yields faster payouts with fewer technical hurdles.

Small and mid-sized businesses are particularly vulnerable. Many don’t have advanced threat protection enabled, don’t enforce multi-factor authentication on email accounts, and don’t have a formal process for verifying financial transactions. A single successful BEC can cost tens of thousands of dollars – not just in stolen funds, but in downtime, incident response, and potential reputational harm. The FBI’s IC3 report consistently ranks BEC as the #1 costliest cybercrime year after year.

The good news: BEC is preventable. A combination of technical controls and staff awareness training dramatically lowers risk. At minimum, businesses should enforce multi-factor authentication across all email accounts, enable advanced phishing protection in Microsoft 365 or Google Workspace, and create a clear “out-of-band” process for approving wire transfers or banking changes. This means no payment should be authorized solely based on an email.

Security awareness training is another critical layer. Employees should learn to spot red flags such as urgent requests, unusual banking details, or slightly altered email domains. Simulated phishing campaigns can test your team’s readiness and help identify users who may need extra coaching. The human layer is often the last line of defense – strengthening it pays dividends.

Monitoring and response are also crucial. Your IT partner should review sign-in logs for what Microsoft calls “impossible travel” (signing in from physically disparate locations within impossible timeframes) or suspicious activity, setting conditional access policies, and alerting on forwarding rules that may have been maliciously configured. This proactive monitoring ensures that if an account is compromised, you can respond before the attackers cash out.

At Geeks for Business, we help businesses implement a layered security approach that includes advanced email protection, identity security, and user training. If this increase in BEC attacks concerns you, you’re not alone, and you don’t have to face the threat alone. Schedule a security consultation with our team today and let’s make sure your business doesn’t become the next statistic.

Real-World BEC Examples and Lessons Learned

Case Study 1: A manufacturing firm lost $240,000 after an attacker gained access to the CEO’s mailbox and sent realistic-looking wire transfer requests. The funds were sent overseas before IT discovered the compromise.

Case Study 2: A California CPA firm suffered a $90,000 loss when a vendor's email account was spoofed. The fake invoice matched previous formatting and was paid without question. The firm later had to cover client losses out of pocket.

Case Study 3: A healthcare provider narrowly avoided a $300,000 loss thanks to a vigilant employee who noticed a slightly altered email domain. The event still cost $25,000 in forensics and recovery efforts.

Case Study 4: A boutique software development firm in Europe lost approximately $285,000 to wire fraud as a result of BEC. The attacker gained access to the company’s Microsoft tenant via the widely deployed Evilginx phishing toolkit and began reconnaissance and information-gathering. Three months later, the attacker began intercepting and redirecting emails between company executives, a third-party organization, and the company’s internal finance department. The accountant mistook a fraudulent wire request for a legitimate email and mistakenly paid out a large sum of money to the attacker. Unfortunately, the funds were not recovered.

At Geeks for Business, we help organizations implement multi-layered defenses, continuous monitoring, and employee training to stop BEC before it impacts your bottom line. Request your free security posture review today.