Business Email Compromise: A 2026 Action Plan for SMBs

Your controller gets an email from the CEO asking to wire $47,000 to a new vendor. The email address matches. The tone is right. The request references a real project. She sends the wire. Two hours later, the CEO walks by her desk and asks what she’s working on. He never sent that email.

This scenario plays out thousands of times per year across the United States. The FBI’s Internet Crime Complaint Center (IC3) received over 21,000 BEC complaints in its most recent reporting period, with total losses reaching $2.77 billion. That makes business email compromise the second most costly cybercrime category in the country, and organizations with fewer than 1,000 employees face a 70% weekly probability of being targeted.

For a 50-person company, a single successful BEC attack averaging $125,000 or more can wipe out a quarter’s profit. This isn’t ransomware, and there’s no malware to detect. BEC exploits trust, urgency, and weak verification processes. The good news: the defenses are straightforward, and companies that act quickly after an attack recover most of their money.

BEC Is a Business Process Problem, Not a Technology Problem

Most email security tools are designed to catch malware attachments, malicious links, and obvious spam. BEC bypasses all of that because the emails themselves are clean. There’s no payload to scan, no suspicious link to flag, and no attachment to detonate in a sandbox. The attack is the message itself.

BEC comes in several forms, but three account for the vast majority of losses:

• Wire transfer fraud: An attacker impersonates an executive or vendor and requests a wire to a new bank account. This is the highest-dollar variant.
• Invoice redirect fraud: An attacker compromises or impersonates a vendor’s email account and sends a legitimate-looking invoice with updated payment details. Your accounts payable team pays the invoice to the attacker’s account.
• Gift card schemes: An attacker posing as a manager or executive asks an employee to purchase gift cards for a “client appreciation” event or similar pretext. According to IC3 data, gift card requests account for 37.9% of BEC attacks by volume, though the dollar amounts per incident are typically lower than wire fraud.

The common thread is that none of these attacks require breaking into your network. The attacker either spoofs an email address, compromises a legitimate account through stolen credentials, or uses a lookalike domain (think infonaliqy.com instead of infonaligy.com). Your email filters won’t catch a well-crafted BEC email because, technically, there’s nothing malicious about the email itself.

AI Is Making BEC Attacks Better and Cheaper

BEC has been a threat for over a decade, but AI-generated content is accelerating the problem. As of mid-2024, approximately 40% of BEC phishing emails used AI-generated content, and that number has almost certainly grown since.

What AI changes for attackers:

• Perfect grammar and tone matching. The awkward phrasing that used to flag phishing emails is gone. AI can match an executive’s writing style by analyzing their LinkedIn posts, published articles, and previous emails.
• Personalization at scale. An attacker can research your company, your vendors, your projects, and your team in minutes, then generate targeted emails for dozens of companies simultaneously.
• Faster reconnaissance. AI tools can scrape public information about your business, map your org chart from LinkedIn, identify your banking relationships from press releases, and build convincing pretexts using real details.

The practical effect is that BEC attacks now look indistinguishable from legitimate business communication. Training employees to “look for red flags” is necessary but no longer sufficient when the red flags have been engineered away. Your defense has to shift from “can we spot the fake?” to “do we verify every request before acting on it?”

Six Steps to Protect Your Business

1. Require Out-of-Band Verification for Every Financial Transaction

This is the single most effective defense against BEC, and it costs nothing to implement. Any request to send money, change payment details, or share sensitive data must be verified through a separate communication channel before anyone acts on it.

If the request comes by email, pick up the phone and call the person using a number you already have on file. Do not call a number provided in the email. Do not reply to the email and ask “did you send this?” because if the account is compromised, the attacker will simply say yes.

The verification call needs to be more than “hey, did you send that?” Establish a verbal passphrase or one-time code that both parties know. This stops voice cloning attacks where an attacker uses AI to impersonate an executive’s voice. A cloned voice can’t provide a verification code it doesn’t know.

Write this policy down. Make it mandatory. Remove the ability for any single person to authorize a wire transfer or payment change without completing the verification step.

2. Implement Email Authentication: DMARC, DKIM, and SPF

These three protocols work together to prevent attackers from spoofing your domain in outbound emails. In plain terms:

• SPF (Sender Policy Framework) tells receiving mail servers which servers are authorized to send email on behalf of your domain.
• DKIM (DomainKeys Identified Mail) attaches a cryptographic signature to your outgoing emails so recipients can verify the message wasn’t altered in transit.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving mail servers what to do when an email fails SPF or DKIM checks: nothing, quarantine it, or reject it outright.

Without these protocols, an attacker can send an email that appears to come from your CEO’s exact email address, and the recipient’s mail server has no way to know it’s fake. With DMARC set to a reject policy, that spoofed email never reaches the inbox.

If you’re running Microsoft 365, your IT team or managed IT provider can configure all three protocols in your DNS settings. Many organizations have SPF configured but never moved DMARC past a “monitor only” policy, which means spoofed emails still get delivered. Check yours. If your DMARC policy isn’t set to quarantine or reject, it’s not actually protecting you.

3. Enforce Multi-Factor Authentication on Every Email Account

MFA won’t stop a spoofing attack, but it prevents the account compromises that make BEC possible in the first place. A large percentage of BEC attacks start with an attacker logging into a real email account using credentials stolen from a data breach, purchased on the dark web, or harvested through a previous phishing campaign.

Once an attacker controls a real email account inside your organization, the game is essentially over. They can read email threads to understand ongoing transactions, send messages from a legitimate address that passes all authentication checks, and set up inbox rules to hide their activity from the account owner.

MFA blocks this entry point. Even if an attacker has valid credentials, they can’t access the account without the second factor. Enable MFA on every email account in your organization, prioritizing executives, finance team members, and anyone with authority over payments or sensitive data. Use authenticator apps or hardware security keys, not SMS codes, which are vulnerable to SIM swapping.

4. Train Your Team on BEC-Specific Scenarios

Generic security awareness training covers phishing broadly, but BEC requires specific attention because the attack patterns are different from standard phishing.

Your team should be able to recognize these common BEC scenarios:

• The urgent executive request: “I need you to handle a wire transfer before end of day. I’m in meetings and can’t talk, just handle it via email.”
• The vendor payment change: “We’ve updated our banking information. Please use the new account details for all future payments.”
• The attorney or advisor impersonation: “I’m handling a confidential matter for [CEO name]. Please process this payment and don’t discuss it with anyone until the deal closes.”

Run tabletop exercises where finance and accounting staff practice responding to these scenarios. The goal isn’t to scare people; it’s to build the habit of pausing and verifying before acting. When an employee’s first instinct is “let me verify this” rather than “I need to handle this quickly,” your risk drops significantly.

5. Set Up Monitoring for Email Account Compromise Indicators

BEC attacks often involve a period of reconnaissance after an account is compromised. The attacker logs in, reads email threads, sets up forwarding rules to maintain access, and waits for the right moment to strike. That reconnaissance window is your opportunity to detect the compromise before the financial damage happens.

Your IT team or managed security provider should be monitoring for:

• Impossible travel alerts: A user logs in from Dallas at 9 AM and from Eastern Europe at 9:15 AM.
• New inbox rules: An attacker creates rules to automatically move or delete emails from specific senders, hiding their activity from the account owner.
• Mail forwarding changes: Emails being silently forwarded to an external address.
• Unusual login patterns: Access from new devices, new locations, or at unusual hours.

Microsoft 365 Defender and most managed detection platforms can flag these indicators automatically. The key is having someone who actually reviews and responds to the alerts. Alerts that nobody acts on are the same as no alerts at all.

6. Know What to Do in the First Hour After a BEC Attack

Speed is everything. Over 50% of BEC victims who report to their financial institution and the FBI within 24 hours recover at least 82% of the stolen funds. That recovery rate drops sharply with every hour of delay.

If you suspect a BEC attack has succeeded:

1. Contact your bank immediately. Request a wire recall or payment hold. Banks have internal processes for this, but they need to act before the funds are moved to another account.
2. File a complaint with the FBI’s IC3 at ic3.gov. The IC3’s Recovery Asset Team works with financial institutions to freeze fraudulent transfers. They have a strong track record when notified quickly.
3. Preserve evidence. Do not delete the fraudulent email. Screenshot any relevant messages, note the timeline, and save all headers and metadata.
4. Secure the compromised account. If the attack originated from a compromised internal account, reset the password, revoke all active sessions, and review the account for forwarding rules, inbox rules, and delegated access.
5. Notify your cyber insurance carrier. Most policies have specific BEC coverage with their own notification requirements and timelines.

Write this response plan down and make sure your finance team, IT team, and executive leadership all know where to find it. When a BEC attack hits, nobody should be searching for “what do we do now?” The answer should already be documented and rehearsed.

The Cost of Waiting

BEC isn’t a sophisticated nation-state attack that only targets large enterprises. It’s a volume crime that hits small businesses disproportionately hard because smaller organizations are less likely to have verification policies, email authentication, and monitoring in place. The $2.77 billion in reported losses almost certainly understates the real number, since many businesses never report BEC incidents to law enforcement.

Every step in this action plan is something your organization can implement within 30 days. The out-of-band verification policy can be in place by the end of this week. DMARC enforcement and MFA deployment can be completed within a few weeks. Training and monitoring take slightly longer but pay for themselves the first time they prevent a six-figure wire from leaving your account.