Skip to content
Suggest a term
SupportedSecurityLast updated: June 1, 2026

Fake invoice / business email compromise

BEC attackers compromise or spoof business email accounts to send convincing invoice, payment update, or executive transfer requests. Because messages come from trusted addresses, they bypass technical security and rely on employees acting without verbal verification.

What we know

Business Email Compromise is a sophisticated fraud targeting organizations that make wire transfers. The most common variants include fake invoice fraud, where an attacker impersonates a vendor and sends a legitimate-looking invoice with updated banking details; CEO fraud, where an email apparently from the CEO or CFO urgently requests an employee to wire money; and email account compromise, where an actual business email account is hacked and used to redirect payments.

Attackers typically research their targets thoroughly before attacking: they study company hierarchy from LinkedIn, monitor email correspondence after compromising an account, and time their requests to coincide with real transactions. The emails may perfectly mimic formatting, email signatures, and writing style. The FBI IC3 reports that between October 2013 and December 2023, BEC caused over $55 billion in exposed global losses. In 2024 alone, U.S. losses were $2.77 billion.

Prevention requires procedures that cannot be bypassed by email alone. Any change to banking details or unusual payment request should require out-of-band verification (a phone call to a known number, not the number in the email). Dual approval for large wire transfers, strong email authentication (DMARC, DKIM, SPF), and training employees to verify unusual requests through a second channel are the primary defenses. FBI encourages affected companies to contact their financial institution immediately and report to IC3.gov.

Common claims

  • If an invoice email looks exactly like our vendor's, it must be realFalse - attackers spend weeks studying legitimate email formatting before striking
  • Email security tools prevent BEC attacksPartially true but insufficient - BEC often uses real compromised accounts, not spoofs
  • Verifying payment changes by calling the vendor prevents BECTrue if using a known, pre-existing phone number, not one provided in the suspicious email

Evidence hierarchy

01Business Email Compromise: The $55 Billion Scam - FBI IC3305,033 incidents 2013-2023; $55.5 billion exposed; 9% increase in global losses 2022-202302FBI IC3 2024 Annual Report$2.77 billion in BEC losses in 2024; second-highest loss category

All sources

Related terms

Phishing emailsTech support pop-up scamsSIM-swapping fraud