Cyber Deception: The Rise of Business Email Compromise
In this episode of The Herbein Conversation's Fraud Fighters series, host Debbi Fetter, Partner and Managing Director, and Jeff Johns, Partner, explore the growing threat of business email compromise (BEC). They discuss how cybercriminals manipulate employees into revealing sensitive information, the staggering financial losses caused by these scams, and real-world cases affecting businesses of all sizes. Tune in to learn how to safeguard your organization from this pervasive cyber threat.
Debbi S. Fetter: Hello, everyone, and welcome to another episode of The Herbein Conversation podcast, where we dive into some of the most pressing issues in the modern workplace. I'm Debbi Fetter, Partner and Managing Director in our firm's Risk Management practice and host of the Herbein Fraud Fighters podcast series—your go-to podcast for the latest in fraud and cybersecurity tips and trends.
Today, I'm joined by fellow Partner and resident IT guru, Jeff Johns. Welcome back, Jeff.
Jeff J. Johns: It's great to be here again, Debbi. Thank you.
Debbi S. Fetter: Today's topic is business email compromise. Let's start with the basics—what exactly is business email compromise?
Jeff J. Johns: Business email compromise is a type of cybercrime where attackers use emails to deceive a user into divulging sensitive information or authorizing fraudulent transactions. Typically, the email appears to come from a trusted individual, such as a CEO or another high-level executive, to manipulate the recipient into taking action. However, it doesn't necessarily have to be a CEO or CFO—anyone within an organization can be targeted, as we've seen these attacks become increasingly widespread.
Debbi S. Fetter: So even vendors that organizations typically work with can be subject to these attacks?
Jeff J. Johns: Absolutely. Anybody within an organization—contractors, vendors, third parties—can be targeted by these bad actors.
Debbi S. Fetter: That sounds quite sophisticated. How prevalent is this type of attack?
Jeff J. Johns: Unfortunately, it's very prevalent. Over the last decade, business email compromise has resulted in approximately $55 billion in reported losses globally. In 2023 alone, losses were estimated at around $3 billion—a significant increase from previous years.
Debbi S. Fetter: Wow, those numbers are staggering. Can you give our listeners some real-life examples? Is this just affecting large businesses, or are small businesses at risk as well?
Jeff J. Johns: It's not just large businesses—small businesses are also vulnerable. Some of the more well-known cases include Facebook and Google, which collectively lost over $100 million due to these scams. Another technology firm reportedly lost around $47 million. But it’s not just the big corporations. A Catholic parish, for example, fell victim to an email compromise scam and lost $1.75 million.
It's a widespread issue. Even when organizations have controls in place that prevent financial losses, hackers often still gain access to email environments, allowing them to monitor communication patterns. This enables them to learn how businesses operate—whether it’s an accounts payable process, financial approvals, or wire transfer protocols. They do this in a very stealthy manner, making it difficult to detect.
Debbi S. Fetter: That’s shocking—even a church. It sounds like business email compromise can target employees of any company, whether large or small, in different ways. For instance, impersonating a vendor. I believe the case with the church involved a construction firm the parish was working with. So fraudsters can pose as different individuals to trick employees into disclosing sensitive information or processing illegitimate transactions.
Jeff J. Johns: Absolutely. From my experience in investigations and consulting, I’ve seen cases where attackers specifically target individuals to steal their credentials. Once they gain access, they set up email forwarding rules so that messages are secretly sent to an external Gmail or Yahoo account. This allows the attacker to monitor internal communications without detection. After they fully understand the company’s processes—whether it's payment approvals or document workflows—they launch their attack to gain financial or strategic advantage.
Debbi S. Fetter: Wow. So no matter the industry or company size, it seems like everyone is at risk. What are some key takeaways to help mitigate this type of fraud?
Jeff J. Johns: The first line of defense is your IT team or third-party IT provider. Ensuring proper email security configurations is essential. Implementing verification tools and spam filters helps block malicious emails before they reach end users.
Technical controls like multi-factor authentication (MFA) are critical. If credentials are compromised, MFA adds another layer of protection to prevent unauthorized access.
Lastly, training is key. Employees need to be aware of phishing attempts and how to recognize fraudulent emails.
Debbi S. Fetter: Jeff, if I’m a CEO or CFO, how do I know the right security measures are in place, scaled appropriately for my organization, and actually working as intended?
Jeff J. Johns: The best approach is to have an independent review of your security controls. More likely than not there are usually areas that can be tightened. A third-party assessment can evaluate your email security, identify vulnerabilities, and ensure that appropriate safeguards—like impersonation protections and email access restrictions—are in place.
For example, a simple but effective control is blocking all email forwarding outside the organization. This prevents attackers from silently monitoring emails from an external account.
Debbi S. Fetter: So periodic reviews—whether conducted internally or by third parties like yourself—can help identify gaps and outdated protocols. Another key component is employee training. Since humans are often the weakest link, what can businesses do to ensure employees recognize and respond to potential phishing emails?
Jeff J. Johns: Regular training is essential. Organizations should conduct phishing simulations—either internally or through a third-party provider—to assess employees' susceptibility.
A best practice is to connect training to personal cybersecurity. If employees understand how these threats impact them personally, they’re more likely to engage and adopt secure behaviors at work.
Short, frequent training sessions are more effective than long, infrequent ones. For example, 10- to 15-minute micro-trainings are more digestible than a two-hour IT security course.
Debbi S. Fetter: Great insights. It sounds like every organization needs trained fraud fighters—employees who stay vigilant and question suspicious emails instead of clicking. Are there any final thoughts or tools you’d recommend for our listeners?
Jeff J. Johns: At the end of the day, these attacks are going to happen. Organizations need to be prepared to respond. Employees should know where to report suspicious emails, and companies should have an incident response plan in place.
Many small businesses don’t have an incident response plan, and those that do may not have tested it in a while. Periodic reviews and tabletop exercises can help ensure the plan is effective. If a company doesn’t have one, partnering with a trusted provider to develop a tailored response plan is essential.
Debbi S. Fetter: Great advice, Jeff. Thank you so much.
It sounds like a combination of employee education, technical tools, and a well-prepared response plan can help businesses reduce their risk. Thank you for sharing your insights on business email compromise.
Jeff J. Johns: Thank you. It was great to be here again.
Debbi S. Fetter: That’s all for today’s episode of Herbein Fraud Fighters. We hope we’ve provided valuable tools for your fraud prevention toolbox.
If you need help identifying gaps, fine-tuning fraud processes, or enhancing banking security, or just want to talk through some of your fraud concerns, reach out to the Herbein Risk Management team.
If you enjoyed this episode, check out the Fraud Fighters series on our website, Spotify, or Apple Podcasts.
Thanks for tuning in, and remember—keep up the fight and see you next time, fraud fighters!