Business email compromise is the single most costly form of cybercrime. The FBI IC3 2025 Internet Crime Report documented $2.9 billion in BEC losses, making it the costliest attack category for the eighth consecutive year. Unlike mass phishing that relies on volume, BEC attacks are targeted, well-researched, and designed to exploit trust relationships within organizations. A single successful BEC attack can result in losses of hundreds of thousands to tens of millions of dollars, and unlike ransomware, the funds are rarely recoverable once transferred. Despite these staggering losses, most organizations do not include BEC-specific scenarios in their phishing simulation programs.
What Are the Five Types of BEC Attacks?
The FBI classifies BEC attacks into five categories, each requiring different simulation approaches. CEO fraud involves impersonating an executive to request an urgent wire transfer, typically targeting finance team members during periods when the real executive is traveling or unavailable. Vendor impersonation involves compromising or spoofing a vendor's email account to request payment to a new bank account, often timed to coincide with real invoice cycles. Account compromise involves taking over an employee's email account and using it to request payments from contacts in the account's address book. Attorney impersonation involves posing as outside counsel handling confidential matters, exploiting the secrecy and urgency associated with legal proceedings. Data theft involves targeting HR or payroll to obtain employee W-2 forms, personal information, or payroll redirect requests.
How Do You Simulate BEC Scenarios Effectively?
BEC simulation requires more sophistication than standard phishing testing because the attack does not rely on malicious links or attachments. The payload is the social engineering itself, a convincing request from a trusted source. Design simulations for each BEC category: for CEO fraud, send a simulated email from an address that closely resembles the CEO's requesting an urgent wire transfer to a new vendor, with specific dollar amounts and a plausible business reason. For vendor impersonation, create a simulated email from a known vendor requesting updated payment information. For data theft, simulate an email to HR requesting employee tax forms or payroll changes. Track whether employees follow established verification procedures (call to confirm, check with manager) versus complying with the request without verification. The metric that matters is not whether they clicked a link, but whether they followed or bypassed your financial controls.
What Controls Should BEC Simulations Test?
BEC simulations should specifically test the effectiveness of your organization's financial controls and verification procedures. These include dual-authorization requirements for wire transfers above a defined threshold, callback verification procedures using known phone numbers (not numbers provided in the email), approval workflows for vendor payment information changes, segregation of duties between invoice approval and payment execution, and escalation procedures for urgent requests that claim to bypass normal approval chains. After each simulation, document which controls were followed and which were bypassed, and use this data to identify gaps in both employee awareness and process design. Often, BEC simulation reveals that controls exist on paper but are routinely circumvented in practice due to executive pressure or operational urgency.
How Do You Build Financial-Impact Awareness?
Employees who process financial transactions need to understand the real-world consequences of BEC. Training should include specific case studies of BEC losses in your industry, clear explanation of why wire transfers are rarely recoverable once sent, emphasis that legitimate executives will never object to verification procedures, and regular reinforcement that urgency and secrecy are the two biggest red flags for BEC. Position your BEC simulation program as protecting the organization's financial assets and the employees themselves, since employees who fall for BEC attacks often face disciplinary consequences even though the attack was sophisticated. For guidance on translating BEC risk into financial metrics for leadership, see our guide on calculating phishing risk in dollar terms.