BEC guide

Business email compromise red flags for AP and finance

Business email compromise is not just a cybersecurity problem. For small businesses, nonprofits, and finance teams, it is an accounts-payable workflow problem that turns email trust into payment loss.

BEC can use spoofed domains, compromised vendor mailboxes, executive impersonation, fake invoices, or bank-change letters. The defense is process: callback, dual approval, PO match, audit trail, and fast reporting.

Run invoice check Read FAQ

Quick answer

BEC is financially severe

The 2025 FBI IC3 report lists BEC among the most financially damaging internet crimes, with 24,768 complaints and USD 3.046B in reported losses.

Free AP Fraud SOP Kit

Turn this check into an AP policy

Get the vendor bank-change policy, callback script, approval note, incident checklist, and hold triggers for your finance team.

Get the SOP kit Future paid: saved checks, audit log, PDF reports, team templates - $19/mo teaser.

Common BEC patterns

Most BEC attempts pressure someone to change a workflow before verification catches up.

  • Vendor says bank details changed and asks AP to update the master file.
  • Executive asks for an urgent wire while unavailable for a call.
  • Compromised mailbox sends a real-looking invoice with altered payment instructions.
  • Supplier or customer requests credential reset, portal login, or document download.

Operational controls

BEC prevention should be written into AP policy, not handled ad hoc.

  • Callback on known phone numbers for every payment-instruction change.
  • Dual approval for wires, ACH changes, and first-time vendors.
  • Preserve headers and attachments for suspected fraud.
  • Train AP to treat urgency and secrecy as escalation triggers.

Business Email Compromise FAQ

Can BEC come from a real vendor mailbox?

Yes. Attackers can compromise real mailboxes, so a correct domain does not remove the need for callback verification.

Who owns BEC prevention?

Finance, AP, IT, and leadership share ownership. The payment process must require controls before money moves.

Where should confirmed BEC be reported?

In the US, report to FBI IC3 and FTC ReportFraud, and contact your bank immediately if funds moved.