LimitBreakITLimitBreakIT
Available · Mon–FriBook a call
Business Email Compromise: The Most Expensive Attack You’ve Never Heard Of
← All articles
Cybersecurity·8 min read·

Business Email Compromise: The Most Expensive Attack You’ve Never Heard Of

M
Marco GrimaFounder, LimitBreakIT

Ransomware scares people because it’s loud. Screens lock, files vanish, criminals taunt you.

Business email compromise (BEC) is the opposite: quiet, boring-looking… and much more expensive. According to the FBI’s Internet Crime Complaint Center, BEC scams caused about 2.8 billion USD in reported losses in 2024 alone, with nearly 8.5 billion USD lost between 2022 and 2024. And that’s just what gets reported.

For a Malta-based SME, one successful BEC attack can mean a six‑figure bank transfer to a criminal that you will never see again.

#What is business email compromise (in plain English)?

Business email compromise is a targeted fraud where criminals impersonate someone you trust over email to trick you into sending money or sensitive data.

Typical patterns:

  • Invoice fraud A supplier’s invoice arrives “as usual”, but their bank details have been quietly changed. You pay the invoice… straight into the attacker’s account.

  • CEO / CFO fraud Finance staff receive an urgent email “from the CEO” while they’re in a meeting or travelling: “We’re closing a deal, wire 65,000 EUR to this account now, I’ll explain later.” It looks legit. It’s not.

  • Payroll / HR fraud An employee requests a salary payment to a “new bank account”. The email is compromised, and their wages go to an attacker.

According to Microsoft and other major security vendors, BEC is not about malware. It’s mostly social engineering, email spoofing and account takeover, which means traditional antivirus doesn’t help much here.

The part most SMEs miss: BEC often starts with a simple phishing email, but the real damage happens weeks later, when criminals have quietly studied your email conversations, approvals, and payment patterns.

#Why business email compromise is so expensive

According to a 2026 phishing trends report, BEC is the costliest phishing variant, with an average impact around 4.67 million USD per incident for larger organisations. For SMEs, the numbers are smaller but still brutal: five‑ or six‑figure transfers are very common.

Why the costs add up so fast:

  • Direct bank transfers are hard to reverse With card fraud, banks often absorb losses. With BEC wire transfers, your bank may try to recall the funds, but if the money has been moved out, that’s it. You’re the one left holding the bill.

  • Attackers piggyback on real business processes They sit in your email for weeks, then alter one invoice or one account number at exactly the right time. The payment is authorised, logged, and looks “normal” in your accounting system.

  • You rarely trigger cyber insurance Many SMB policies are written around “hacking” and “ransomware”. BEC often gets treated as a fraud / payment authorisation issue, and insurers push back unless your controls are mature and documented.

  • Reputation damage with suppliers and clients Imagine telling your main supplier in Malta or the EU: “We paid 40,000 EUR to the wrong account and can’t pay you now.” That can strain relationships, credit terms, and trust overnight.

  • Regulatory risk If personal data is exposed during a BEC‑driven mailbox compromise, you may be facing GDPR notification requirements to the IDPC in Malta and possibly affected customers. Even if the fine risk is low, the legal and admin time is real.

BEC doesn’t usually break your systems — it breaks your decision‑making. Attackers weaponise your own processes, approvals, and habits against you.

#Common BEC scenarios Malta SMEs are vulnerable to

Here are the situations we see all the time with local businesses.

#1. Compromised supplier, clean customer

Your systems are fine. But your supplier’s email account in Italy, the UK, or Malta is compromised.

The attacker:

  • Watches your real email conversation about a project
  • Intercepts the final invoice
  • Resends a “revised invoice” with new bank details, often from a look‑alike domain (e.g. exampleltd.com instead of example-itd.com)

You pay the fraudulent invoice. From your side, nothing “went wrong” technically.

#2. Shared finance inbox with weak security

Many SMEs still use shared mailboxes like accounts@ or sales@ with:

  • One weak password shared among staff
  • No multi-factor authentication (MFA)

Once attackers get in, they:

  • Set up hidden forwarding rules to their own address
  • Track patterns: who approves payments, at what amounts, on which days
  • Strike when your key people are on holiday or travelling

#3. Legit mailbox, fake domain

Sometimes attackers don’t bother hacking your account. They register a domain that looks almost identical to yours or your supplier’s, then:

  • Copy past email threads
  • Reply from the fake domain at the right moment
  • Add a slightly different bank account “for this payment only”

If your finance team only glances at the name (not the full address), they will not see the difference.

#4. Deeply researched CEO fraud

With LinkedIn and your own website, criminals can see:

  • Who the directors and finance people are
  • Who reports to whom
  • What deals or expansion plans you’re talking about

They then craft highly specific emails that match your tone, deal names, and urgency. Add time pressure (“needs to be done in the next 30 minutes”), and people make mistakes.

#Business email compromise vs phishing vs ransomware

These three often get bundled together as “cyber threats”, but they behave very differently.

Threat type Main goal Typical impact on an SME Visibility Main defence focus
Phishing Steal credentials or trick clicks Lost passwords, smaller frauds, malware install Low–medium User awareness, email filtering, MFA
Business email compromise Trick you into sending money or sensitive data Large fraudulent payments, account changes, supplier/customer disputes Often invisible until money is gone Process controls, verification, advanced email security
Ransomware Encrypt data and demand payment Operational downtime, ransom demand, recovery costs Very visible, systems down Backups, patching, endpoint security

The key difference: BEC abuses trust and process, not technology. If your response is only “install better antivirus”, you’re defending the wrong door.

#How to protect your business from business email compromise

Here is a practical checklist you can use straight away. None of this is theoretical — this is what actually reduces BEC risk for SMEs.

#1. Fix the money-movement process

  1. Require out‑of‑band verification for bank changes Any change of bank account for suppliers, partners, or staff must be verified by:
  • A phone call to a verified number (from your CRM or previous contract), not the one in the email
  • Or a video call with the known contact

  1. Set payment thresholds with dual approval For example: any transfer above 5,000 EUR requires two approvals — ideally via two different channels (email + ERP, or approval app + verbal confirmation).

  2. Standardise “urgent payment” handling Define a rule: no urgent payment skips process because of seniority. Even if an email appears from the CEO, it follows the same verification steps.

#2. Harden your email accounts properly

  1. Enable MFA everywhere On Microsoft 365, Google Workspace, and especially for:
  • Finance and HR accounts
  • Shared mailboxes (accounts@, payroll@, office@)

  1. Ban shared passwords Use individual accounts with delegated access instead of a single login for multiple people.

  2. Turn on modern email security features Make sure you have:

  • Anti‑phishing and impersonation protection in Microsoft 365 / Google Workspace
  • Alerts for suspicious login locations and impossible travel
  • Blocking of auto‑forwarding to external addresses

#3. Make it easy for staff to “pause and verify”

  1. Train staff on BEC specifics (not just “don’t click links”) Use examples of:
  • Fake supplier bank changes
  • Slightly changed domain names
  • Urgent fake CEO requests

  1. Give them a simple escalation path For example: a dedicated “security@company.com” mailbox or Teams channel where people can forward suspicious payment requests without fear of looking silly.

  2. Run realistic internal simulations Send test “fake bank change” emails to see who follows procedure and who needs more support.

#4. Limit the blast radius when something goes wrong

  1. Log and review mailbox rules regularly Attackers love hidden rules like “forward all emails with ‘invoice’ in the subject to this external address”. Have IT review rules for finance and director mailboxes at least quarterly.

  2. Have a BEC incident playbook If you discover a fraudulent transfer:

  • Contact your bank immediately and ask for a recall and fraud escalation
  • Inform your IT team / provider to secure the account and check for other compromises
  • Preserve evidence and notify management and, if needed, the IDPC and affected partners
  1. Check your insurance wording Many policies separate “social engineering” fraud from “hacking”. Review this with your broker and make sure BEC is explicitly covered, with clear conditions you can realistically meet.

If you want to stop worrying about business email compromise, get in touch — we work with Malta businesses to make IT one less thing on your list.

business email compromiseBECphishingSME securityMalta business
More from Cybersecurity
Why Multi-Factor Authentication Is Not Optional Anymore
Cybersecurity

Why Multi-Factor Authentication Is Not Optional Anymore

·5 min read