Security Awareness Training

Business Email Compromise

BEC is the most financially devastating cyber attack facing organizations today. Attackers impersonate executives, vendors, and colleagues to steal money and data—and they are getting better every day.

$2.7B
Lost to BEC attacks in 2024 (FBI IC3)
70%
Weekly probability of BEC attack for organizations under 1,000 employees
15%
Increase in BEC attacks in 2025

Government and small business are high-value targets

BEC attacks accounted for 73% of all reported cyber incidents in 2024 across government and regulated sectors. Attackers target payroll departments, accounts payable clerks, and anyone who handles financial transactions—roles common in every municipal office and small business.

Training time: Approximately 15–20 minutes
Includes: Real-world email examples, interactive scenarios, and a scored assessment

Module 1

What Is Business Email Compromise?

Business Email Compromise is a type of attack where criminals impersonate a trusted person—your boss, a colleague, a vendor, or a government agency—through email to trick you into sending money, sharing sensitive data, or changing payment information.

Why BEC is different from spam

BEC emails are not mass-blasted to millions. They are targeted and researched. Attackers study your organization, learn names and titles, and craft messages that look like normal business communication. With AI tools, these emails are now nearly indistinguishable from genuine correspondence.

How attackers prepare

Before sending a single email, attackers may:

  • Research your organization's staff directory, org chart, and LinkedIn profiles
  • Compromise a real employee's or vendor's email account to send messages from a legitimate address
  • Register look-alike domains (e.g., c1ty-of-portland.gov instead of cityofportland.gov)
  • Study your organization's payment cycles, vendor relationships, and communication patterns
  • Use AI to replicate writing styles, including grammar quirks and signature blocks
  • Create deepfake voice or video calls to confirm fraudulent requests

The $25.6 million deepfake video call

In May 2024, an employee at Arup Engineering joined a video conference call with the company's CFO and several senior executives—all of whom were AI-generated deepfakes. Convinced by the live video, the employee transferred $25.6 million to five different accounts controlled by attackers.

Module 2

The Five Types of BEC Attacks

1

CEO / Executive Impersonation

An attacker poses as the mayor, city manager, department director, or company owner and emails a staff member requesting an urgent wire transfer, gift card purchase, or sensitive information. These emails emphasize urgency and secrecy: "I need this handled before end of day. Don't discuss this with anyone else."

2

Payroll Diversion

An attacker impersonates an employee and emails HR or payroll requesting a change to their direct deposit bank account. The new account belongs to the attacker. This is especially common around pay periods and during onboarding/offboarding.

3

Vendor / Invoice Fraud

An attacker impersonates a known vendor or supplier and sends a fake invoice or requests updated payment routing. They may compromise the vendor's actual email account or register a look-alike domain. This is the most common type, representing 63% of BEC attacks.

4

Attorney / Legal Impersonation

An attacker poses as a law firm, auditor, or regulatory body and pressures the target into acting quickly on a "confidential legal matter" involving wire transfers or sensitive records.

5

Data Theft

Rather than requesting money, the attacker targets HR or admin staff to steal W-2 forms, employee records, constituent data, or other sensitive information that can be sold or used for identity theft.

Module 3

The BEC Attack Chain

1

Reconnaissance

Attackers study your organization using public records, social media, LinkedIn, and news articles. They identify who handles money, who reports to whom, and what vendors you use.

2

Setup

They either compromise a real email account (through phishing or credential theft) or register a look-alike domain. They may monitor email traffic for days or weeks to learn communication patterns.

3

The Ask

The attacker sends a carefully crafted email requesting a financial action: a wire transfer, a payment routing change, a gift card purchase, or a payroll update. The request looks routine and comes from a trusted source.

4

Pressure

The email creates urgency: "This needs to happen today." It may also demand secrecy: "Keep this between us for now." If the target hesitates, the attacker may follow up with a phone call, text, or Teams message using a spoofed number.

5

The Transfer

The victim processes the payment or shares the data. Funds are typically moved through multiple accounts and withdrawn within hours, making recovery extremely difficult. The average BEC wire transfer request is $24,586.

Dual-channel attacks are the new trend in 2026

Attackers now follow up initial BEC emails with phone calls, text messages, or Microsoft Teams messages to add legitimacy. If someone "confirms" a request through a second channel that was also spoofed, it does not mean the request is real. Always verify through a channel you initiate.

Module 4

Spot the Scam

Review each scenario and decide: is this a BEC attack or legitimate business?

Scenario 1: The Urgent Request

You are an administrative assistant at a county public works department. This email arrives at 4:42 PM on Friday:

Inbox
From:David Mercer <d.mercer@countyworks-admin.com>
To:You
Quick favor - confidential

Hi,

I'm in a meeting and can't step out. I need you to pick up 5 Apple gift cards ($200 each) for a staff recognition event on Monday. Please purchase them today and send me photos of the card numbers and PINs.

I'll reimburse you on Monday. Don't mention this to anyone - it's a surprise.

Thanks,
David Mercer
Director, Public Works

This is a BEC gift card scam.

Red flags: The sender domain (countyworks-admin.com) is not the county's real email domain. The request demands urgency ("today"), secrecy ("don't mention this"), and an unusual payment method (gift cards). No legitimate organization purchases gift cards this way. Gift card requests via email are always a scam. Do not purchase anything. Verify directly with Director Mercer by phone or in person.

Scenario 2: The Direct Deposit Change

You work in the payroll department of a small city. This email arrives from a Parks Department employee:

Inbox
From:Maria Santos <maria.santos@cityparks-dept.org>
To:Payroll Department
Direct deposit update - new bank

Hi Payroll,

I recently switched banks and need to update my direct deposit information before the next pay cycle. My old account has been closed.

New routing number: 021000021
New account number: 4851-7293-0064

Can you please update this before Friday? I don't want to miss my paycheck.

Thanks,
Maria Santos
Parks Maintenance

This is a payroll diversion attack.

The sender domain (cityparks-dept.org) is not the city's official domain. Direct deposit changes should never be processed based on email alone. Require the employee to submit the change through your official HR system or in person with valid ID. Call Maria at her known phone number to verify.

Scenario 3: The Updated Invoice

You handle accounts payable for a small engineering firm. You receive this invoice from a regular supplier:

PACIFIC NORTHWEST SUPPLY CO.
1200 Industrial Way, Suite 400
Portland, OR 97201
INVOICE
INV-2026-0847
Date: Feb 28, 2026
DescriptionQtyAmount
Grade 5 structural bolts (250 ct)4$2,180.00
Steel I-beam W8x31 (20ft)12$14,400.00
Freight and delivery1$850.00
Total Due: $17,430.00
IMPORTANT: Our banking partner has changed. Please update your payment records with the new wire instructions below. Previous account is no longer active.
New Bank: First Atlantic Trust | Routing: 026009593 | Acct: 7841-2039-5517

This is a vendor invoice scam.

The invoice looks professional and references real-seeming products, but the "banking partner has changed" notice is a classic BEC red flag. Attackers either compromised the vendor's email or created a look-alike. Never update payment information based on an invoice or email alone. Call the vendor at a phone number from your existing records (not the invoice) to verify any banking changes.

Scenario 4: The Conference Registration

Your supervisor walks over to your desk and hands you a printed conference brochure. She says: "Can you register me for this cybersecurity conference next month? Use the department P-card. Here's the registration link from their website." You visit the conference website, verify it matches the brochure, and complete the registration through the site's standard payment form.

This is a legitimate request.

Your supervisor made the request in person (not via email), you verified the website independently, and the payment is processed through a standard registration form—not a wire transfer, gift card, or routing change sent via email. In-person verification and standard payment channels are signs of legitimate business.

Module 5

Your Defense Playbook

The Golden Rule

Verify any financial request through a channel you initiate.

Before processing any wire transfer, payment routing change, gift card purchase, or payroll update requested via email, call the requester at a phone number you already have on file. Do not use contact information from the email itself.

Red flags in every BEC email

  • Urgency: "This needs to happen today" or "before end of business"
  • Secrecy: "Keep this between us" or "Don't discuss this with anyone"
  • Unusual requests: Gift cards, wire transfers, or routing changes via email
  • Sender mismatch: Display name looks right but the email domain is wrong or slightly off
  • Pressure from authority: The "sender" is your boss, a director, or an executive
  • New payment instructions: "Our bank has changed" or "Use this new account"
  • Moving off-channel: "Text me at this number" or "Let's handle this on my personal email"

Verification procedures that stop BEC

  • Call back on a known number—Use your contact list, not the number in the email
  • Verify in person when possible—Walk down the hall before wiring $20,000
  • Check the email domain carefully—One changed letter is all it takes
  • Require dual authorization for any payment over a set threshold
  • Never change payment routing via email alone—Require a signed form or in-person verification
  • Slow down—Urgency is the attacker's weapon. A 10-minute verification call can save millions

If you already sent money or data

Act immediately—recovery is time-sensitive

  1. Contact your bank immediately and request a wire recall or payment hold
  2. Notify your IT department and management—the sender's account may be compromised
  3. File a complaint with FBI IC3 at ic3.gov—this enables federal recovery efforts
  4. Preserve all emails related to the fraudulent request as evidence
  5. If employee data was shared, notify affected individuals and begin identity monitoring
Knowledge Assessment

Test Your Knowledge

Answer all 8 questions. You need at least 6 correct (75%) to pass.

1 What makes BEC different from regular phishing?

ABEC emails always contain malware attachments
BBEC is targeted, researched, and impersonates specific trusted people in your organization
CBEC only targets large corporations
DBEC emails are always sent from foreign email addresses

2 Your department director emails you asking to buy $500 in gift cards and send photos of the codes. What should you do?

ABuy them quickly since the director asked
BReply to the email asking for more details
CCall the director at their known phone number to verify before doing anything
DForward the email to a colleague to ask what they think

3 A vendor emails you saying their bank has changed and provides new wire instructions. How should you handle this?

AUpdate the payment information since the email came from the vendor
BCall the vendor at a number from your existing records to verify the change
CReply to the email asking them to confirm
DWait a week and see if they send another email

4 Which of these is a common red flag in a BEC email?

AThe email includes a standard company signature block
BThe email was sent during normal business hours
CThe email demands urgency and secrecy around a financial request
DThe email has correct spelling and grammar

5 An employee emails payroll asking to change their direct deposit. What is the safest procedure?

AProcess the change since the email came from their work address
BRequire an in-person visit with ID or use the official HR portal
CAsk them to resend the request from a personal email to confirm
DProcess it and verify at the next pay period

6 You realize you just wired $18,000 to a fraudulent account. What should you do first?

AContact your bank immediately to request a wire recall
BEmail the scammer and demand the money back
CWait until Monday to notify management
DDelete the email thread to prevent further damage

7 Why do BEC attackers often request gift cards instead of wire transfers?

AGift cards are easier for the victim to purchase
BGift cards are nearly untraceable and cannot be reversed once redeemed
CGift cards bypass antivirus software
DGift cards have higher value limits than wire transfers

8 What is the single best defense against BEC attacks?

AAdvanced email filtering software
BEncrypting all outgoing emails
CVerifying financial requests through a separate, trusted channel before acting
DRequiring all emails to include a digital signature
Training Complete

Certificate of Completion

Circle 6 Systems
Business Email Compromise Awareness
Certificate of Completion

This certifies that

Your Name

has successfully completed the Business Email Compromise
Awareness Training with a score of --.

Quick Reference Card

THE RULE: Verify any financial request through a channel you initiate. Call at a known number. Never rely on email alone for payments, routing changes, or sensitive data.
RED FLAGS: Urgency + secrecy + financial request = BEC. Gift card requests are always a scam. "Our bank has changed" in an invoice is almost always fraud.
CHECK THE DOMAIN: One letter can be the difference. county.gov vs countyy.gov. Always inspect the actual email address, not just the display name.
IF COMPROMISED: Contact your bank immediately for a wire recall. Notify IT and management. File a report at ic3.gov. Preserve all related emails.

Developed using threat intelligence from the FBI IC3, Proofpoint, Abnormal Security, Trustwave, and Fortra.

© 2026 Circle 6 Systems. All rights reserved.  |  contact@circle6systems.com