Trust is the foundation of business interactions. Online scammers understand and rely on this when they use social engineering tactics to compromise your company. One of their main methods is business email compromise (BEC).

According to the 2025 AFP Payments Fraud and Control Survey Report, underwritten by Truist, BEC was the number one avenue for attempted and actual payments fraud in 2024, cited by 63% of respondents. It’s also responsible for $2 billion in losses around the world every year.Disclosure 1

Key concepts

In this article, you’ll learn how to:

  • Identify business email compromise attacks
  • Learn what makes BEC a unique type of social engineering fraud
  • Reduce your risk—and your employees’ risk—of being compromised

Video: a quick introduction to email fraud

Component ID : "accordionGridLayout-933735257"
Model : "disclaimer"
Position : "left"

Fraud Prevention 101 – Email Fraud

(Visual Description: Fraud Prevention 101: Email Fraud

Truist title and logo in the lower right corner.

Email fraud, avoid falling for this common trick into sharing sensitive information.

Definition reads: Email Fraud - A fraudulent email scheme performed by a dishonest individual, group or company in attempt to obtain money or something else of value.)

Companies experience email fraud when individuals click on a malicious link or provide personal information. 

(Visual Description: An example of a suspicious email from CEO memo <marky.shurtserberg@phase.book.com.ru> is shown on a computer screen. The email contains a button that reads “Meeting” which is clicked. A motion graphic follows to depict that the user’s computer has been compromised. 

The most common email scams appear to come from senior officers at your organization or from existing vendors. 

They can be difficult to differentiate from legitimate emails, especially as fraudsters become more sophisticated. 

Stay vigilant. If you see something suspicious, call the person who sent you the email and verify their request.

(Visual Description: Learn to keep your business safe

Truist logo and Truist Title appear in the center of page. 

Contact your Truist relationship manager or treasury consultant for more information on fraud protection.

Disclosure:

Truist Bank, Member FDIC. © 2021 Truist Financial Corporation. Truist, the Truist logo and Truist Purple are service marks of Truist Financial Corporation.)

What is a business email compromise attack?

In a business email compromise attack, a fraudster impersonates or takes over the account of a trusted employee, vendor, or federal agency. Its success depends on how convincingly it can imitate the account being impersonated. If it works, your employees might hand over sensitive data (including passwords), transfer funds to criminals, or click malicious links that can compromise your computer network.

The graphic details the top 5 payment methods impacted by BEC (business email compromise) in 2024.  The list is in order from highest to lowest beginning with wire transfers, ACH credits, checks, ACH debits, and corporate/commercial credit cards demonstrating the wide-breath of fraud.

Adjusted losses for business email compromise attacks for 2024 totaled over $2.7 billion.Disclosure 2

Good news: Increased vigilance is mitigating the impact of BEC.

The 2025 AFP Payments Fraud and Control Survey Report shows that organizations are taking steps to prevent BEC—and it’s working. From 2022 to 2023, the portion of companies that experienced attempted or actual BEC attacks dropped from 71% to 63% and stayed there for 2024. Enhanced email filtering along with education and training for employees on how to detect fraudulent emails are among the top prevention protocols.

Case study: Comparing addresses helps a pharmacy stop a BEC attack. When an order for $500,000 in prescription medications came in supposedly from a large medical center, pharmacy staffers carefully checked the details. Even though the paperwork looked valid, one employee noticed the address in the email didn’t match the one on file. When the employee called the medical center, a representative told them the order was a sham.Disclosure 3

21,442 BEC complaints were filed with the FBI’s Internet Crime Complaint Center in 2024.Disclosure 2

Best practices and prevention

Anyone can be the target of business email compromise. Knowing what signs to look for—and what actions to avoid—can help keep your employees from falling victim. Here are some common strategies for preventing BEC attacks.

Train staff to double-check email addresses and message details.

BEC scammers often imitate the email addresses of real employees or business associates. The giveaway may be something as small as one- or two-letter inconsistencies in the username or a misspelled domain after the @. These imposter emails often express urgency, arrive at odd hours, appear to come from an executive or person of authority, and may request secrecy or reference an unfamiliar project.

Educate staff on the latest BEC scam tactics.

The 2025 AFP Payments Fraud and Control Survey Report found that classic BEC scams—in which a fraudster impersonates a senior executive and requests a transfer of funds—declined from 57% to 49% in 2024. But scams like vendor and third-party impersonation are on the rise.

Limit what you publicize about employees, roles, and email addresses.

Every BEC attack relies on access to employee details such as names, titles, and email addresses. Only share that information with trusted partners—and encourage them to report any suspected attacks, whether attempted or successful.

Require strong passwords and multifactor authentication.

Sometimes, hackers will take over the actual email account of someone you trust and send emails directly from it. When used properly, passwords and multifactor authentication (MFA) can go a long way toward preventing this. Educate employees to create and protect strong passwords, change them regularly, and use MFA to provide an extra layer of security against password theft.

Make dual control a number one priority.

Implement dual control policies to help identify spoofs, inconsistencies, and other red flags that indicate BEC attacks. With dual control, two eagle-eyed experts in your company must approve any requests for sensitive information like banking details or credential sharing.

When in doubt, talk to Truist.
There are certain requests we will never make of our customers. If you’ve received an email, text, or voice message asking for private banking details like your account number, routing number, or PIN, reach out and alert your relationship manager. Our fraud prevention experts can help identify, report, and neutralize any phishing attacks.

FAQs on business email compromise

Component ID : "faq-1301646222"
Model : "faq"
Position : "left"

Social engineering fraud is a type of cybercrime in which scammers try to gain someone’s trust to extract information or money from them. This is often done through phishing—sending fake email requests—or through business email compromise, a type of phishing directed at companies.

Yes. Email account compromise (EAC) happens when a hacker takes control of a legitimate email account. Then they use the account to email requests for sensitive information or money. For example, one of your suppliers sends you a message requesting payment—but the bank account number doesn’t match the one on previous invoices. This could be legitimate, or it could be a sign that the email was compromised. In such cases, contact the sender directly (not by email) and ask them to confirm.

Good news: Increased vigilance is mitigating the impact of BEC.

Turn to professionals for protection.

To learn more about cybersecurity threats and the various types of fraud facing your organization, connect with one of Truist’s relationship managers.

Truist Purple PaperSM Digital Transformation

Learn how you can put advanced technology to work for your business.

Related resources

    {0}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}

    Stay informed and get connected

    Looking for fresh thinking and new insights to help uncover opportunities for your business needs?

    Connect with a Relationship Manager

    Work with a partner who sees your vision and has the resources to help you achieve it. We’re ready to focus on the specific needs of your company—and where you are in your business lifecycle.

    *This form is for prospects. Truist clients should contact their relationship manager with inquiries related to commercial products and services.

    Helpful links



    Sign up for monthly articles on Business Insights

    Sign up to receive our business insights, thought leadership, and client success stories that can help inspire your next bold business move.

    Please enter a first name
    Please enter a last name
    Please enter a valid email address
    Please enter a company name
    I'm also interested in: Please select a campaign option