Business Email Compromise (BEC) is dangerous because criminals design it to look like ordinary work.
The criminal’s goal is to trigger a financial transaction or extract sensitive information by impersonating someone the recipient trusts. BEC attacks generally pursue one of the following objectives:
- Divert a payment in progress. The attacker monitors a legitimate transaction – a property transfer, a legal settlement, a large supplier payment – and steps in at the right moment to redirect funds to a fraudulent account. By the time the error is discovered, the money has moved. This is a well-documented vector in South African conveyancing fraud and is directly relevant to anyone involved in high-value transactions.
- Initiate a fraudulent payment. A fake invoice or an instruction appearing to come from a director or executive prompts someone in the business to make a payment that was never legitimate to begin with.
- Change banking details ahead of a transaction. The attacker impersonates a supplier or creditor and requests a routine update to payment details. The next legitimate payment then goes to the wrong account.
- Extract sensitive information. Payroll records, tax information, client data, or personal information may be the target – either as an end in itself or to enable a more targeted attack later.
- Harvest credentials. Gaining access to a legitimate mailbox allows the attacker to operate undetected, monitor communications, and time a larger attack with much greater precision. For insurance brokers, a compromised mailbox could expose client policy information, claims data, or sensitive financial details.
The scale of the problem reflects both the size of the opportunity and how accessible the attack has become. The World Economic Forum’s 2026 Global Cybersecurity Outlook identifies cyber-enabled fraud and phishing as the top cyber concern for CEOs globally. Munich Re lists BEC among the main drivers of insured cyber losses in 2026. BEC has grown not only because routine business provides a large and predictable target, but because AI is making fraudulent messages more convincing, and cybercrime-as-a-service on the dark web means attackers no longer need technical expertise – they can simply buy it.
Why Business Email Compromise works
BEC does not rely on breaking into systems. It relies on being believed.
If a message can convince one person that an instruction is genuine, the attacker doesn’t need to cross a single technical barrier. There may be no malware, no system outage, and no ransom note. The fraud can move entirely through a clean-looking email and an ordinary business process. By the time anything seems wrong, the compromise has already occurred.
This is what makes BEC different from most other cyber incidents, and what makes it genuinely difficult to defend against. A business can have competent people, good systems, and solid processes and still be exposed. The attack is designed to land exactly where trust, pressure, and routine overlap — and that intersection exists in every organisation.
This is also why staff awareness alone is not enough. People are trained to look for strange spelling, odd formatting, or suspicious links. A well-constructed BEC attack can avoid all three. The more useful discipline is not to ask “does this email look fake?” but “does this instruction deserve independent verification?”
Criminals leverage trust
BEC works because it impersonates someone the recipient already trusts. A familiar sender name, a known supplier, an existing email thread, or a message that appears to come from a senior person in the organisation. These carry weight precisely because people rely on them legitimately every day.
The problem is each one can be faked. A domain can be spoofed, a mailbox can be compromised, and a supplier relationship can be reconstructed from information that has been leaked, observed, or simply researched online. The attacker does not need to break trust. They only need to borrow it convincingly enough to prompt one action.
For South African SMEs, the damage can extend well beyond a single incident. A client who receives a convincing fraudulent email appearing to come from your organisation may simply conclude that your business is untrustworthy. That is a harder loss to recover from than the financial one.
The risk travels between organisations
BEC does not always start inside your business. It can begin with a supplier, a partner, a client, or an adviser whose email environment is weaker than yours. Your exposure depends as much on who you deal with as on what you have built internally.
Many organisations focus on protecting what arrives in the inbox but give less thought to whether criminals can send email that appears to come from their domain. Those are two different problems. Your domain carries your reputation, and if it can be abused, the consequences extend to everyone who trusts it.
The FBI’s 2025 Internet Crime Report recorded nearly 21 billion dollars in cyber-enabled crime losses, with BEC among the largest single categories. That scale reflects how effectively the attack fits inside the way organisations actually work.
Practical ways to reduce the risk
The first defence is to make high-value actions harder to compromise. Banking detail changes, urgent payment requests, new supplier records, and executive instructions should all require independent verification before anyone acts. That verification must use a trusted channel, not a phone number or reply address lifted from the message in question.
The second defence is to protect employees from pressure. A clear organisational rule gives people permission to pause, even when the request appears to come from someone senior.
Neither of these steps should make business difficult. The aim is to slow things down only at the moments that matter, not across the business as a whole.
The third defence is technical. When it comes to same-domain spoofing, managed DMARC protection closes that gap by helping to stop criminals from using your domain to impersonate you.
BEC goes beyond the IT team
BEC is ultimately a leadership issue, not just a technical one. When a single trusted instruction can result in a fraudulent payment, a data breach, or a compromised supplier relationship, the consequences reach far beyond the IT team.
The right response is not to make every employee overly suspicious about every email – that creates friction, slows the business, and is not sustainable. The better response is to identify which actions carry the most risk and build verification into them as a matter of routine.
The organisations that manage this risk well are those that implement technical controls where possible (such as a fully enforced DMARC policy at p=reject), while also clearly identifying and communicating the various verification triggers to all employees.
