The Federal Bureau of Investigation (FBI) report indicates that in 2025, cybercrime caused losses exceeding $20 billion, with Business Email Compromise (BEC) being the second most common form of attack, targeting mainly small businesses.
BEC is a targeted scam where criminals impersonate trusted contacts such as suppliers, accountants, and even company CEOs to request wire transfers, invoice payments, or changes to bank account information in order to steal funds from businesses.
AI has made these types of attacks harder to detect as it can generate highly personalized emails imitating real writing styles and existing business relationships, making it challenging for businesses to identify fraud.
By the time you realize there’s a problem, the transferred money has usually disappeared. Once wire transfer funds leave the domestic US banking system, they are almost impossible to recover. However, there are five zero-cost verification steps that can significantly reduce the risk for businesses.
Unlike typical phishing emails, BEC emails do not usually contain suspicious links, misspelled bank names, or lottery win messages.
Phishing emails typically send the same content to thousands of recipients in the hope that someone will click on them. BEC, on the other hand, is entirely customized fraud targeted at your specific business.
Over the years, people have traditionally spotted email scams by checking for grammar errors, unnatural wording, or sender names not matching the domain. However, this method has become ineffective.
AI tools can now: 1. Extract LinkedIn profiles, websites, and public business documents to analyze your supplier relationships and company structure; 2. Analyze writing samples to replicate specific individuals’ tone and style; 3. Generate emails containing real projects, invoice numbers, and business history; 4. Write flawless English without the common spelling mistakes and grammatical errors.
As a result, these emails read exactly like they are written by a CFO or long-time supplier. The common practices for identifying fraud against widespread AI tools that generate deceptive content have been greatly weakened.
Two common scenarios frequently occur with small businesses and freelancers.
Scenario One: Fake Supplier Invoices
You receive an email that appears to be from a supplier you have worked with for two years, with the correct address. The email mentions recent project collaborations and includes an updated invoice with new bank account information, matching the usual communication style of the supplier. Only after making the payment do you realize the real supplier’s account has not received the funds.
Scenario Two: Executive Urgent Wire Request
You receive an email from your company’s boss or senior partner claiming that a transaction must be completed on the same day, requiring an immediate transfer and emphasizing urgency and confidentiality. The writing style matches, and the amount falls within the company’s usual transaction range, leading you to make the transfer.
With these two types of fraud schemes, small businesses can suffer losses of tens of thousands of dollars in a single transfer.
Large corporations typically have multi-level payment approval systems, specialized fraud detection software, and internal cybersecurity teams, which small and medium enterprises often lack.
In many small businesses, a single employee may have full wire transfer authorization without the need for secondary approval. Criminals understand this and exploit it systematically.
In reality, companies can reduce BEC risks without specialized software or a cybersecurity team. Establishing certain habits is key.
1. Implement a “call to confirm” system. Any requests involving payments, wire transfers, or changes to bank account information should be verified via phone using the company’s original recorded phone number, not the one provided in the email.
2. Set up payment alteration policies. Clearly stipulate that supplier or employee bank information updates cannot solely rely on email; written requests must be submitted, followed by immediate phone verification.
3. Treat “urgency” as a red flag. Urgency is a common manipulation tactic in BEC attacks. If an email requests bypassing the normal approval process, even if it appears genuine, take a step back.
4. Verify the actual sender domain. The display name may say “Sarah at Metro Supplies,” but the actual address might be sarah@metro-supplies-llc.net, not sarah@metrosupplies.com. Similar domains are common tools in BEC attacks.
5. Implement dual authorization. Even in two-person operation companies, a rule should be in place: transfers exceeding a certain amount require a second person’s approval.
It’s possible but not guaranteed. With wire transfers being extremely quick, funds typically move to overseas accounts within hours.
If a business suspects it has been defrauded, it should immediately contact the bank to request the recall of the wire transfer and report the incident to the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov. In cases of significant losses, contact the local FBI office directly.
Taking action within 24 to 48 hours offers the best chance of recovering some or all of the funds; once funds leave the domestic US banking system, the difficulty of retrieval increases significantly, often making recovery impossible.
Furthermore, review insurance coverage. Standard commercial liability insurance usually does not cover funds transfer fraud; Network Liability Insurance or Crime Insurance with additional clauses may offer protection.
For businesses routinely dealing with wire transfers, supplier invoices, or customer financial information, it is advisable to discuss adding Network Liability Insurance or Crime Insurance clauses with a commercial insurance broker. For small enterprises, the premiums may not be high compared to potential losses. ◇
This article reflects the author’s personal views and is for general information reference only.