The Five Types of BEC

The FBI calls Business Email Compromise “The $55 Billion Scam” — that’s the cumulative global exposed losses since they started tracking it. In 2024 alone: $2.77 billion in reported losses from 21,442 incidents, according to the FBI’s Internet Crime Report. The average loss per incident: approximately $129,000.

BEC doesn’t make headlines the way ransomware does. There’s no dramatic system lockout, no leaked data published online. Instead, someone in accounting quietly wires money to the wrong account. Someone in HR redirects a paycheck. Someone buys gift cards because they think the CEO asked.

There are five distinct patterns. Learning to recognize them is your first line of defense.

---

Type 1: “The CEO Needs You” (gift card scam)

This is the most common BEC variant. It follows a predictable escalation:

Email (from what appears to be the CEO): “Hi, are you available? I need you to handle something for me. I’m in meetings all day and can’t take calls. Can you text me at this number?”

Text message (once you’ve moved to a personal channel): “Thanks for reaching out. I need 5 x $200 Apple gift cards for a client appreciation event. It’s time-sensitive — can you grab them today? Just send me photos of the backs. I’ll expense it for you.”

Follow-up text (after you hesitate): “I know this is unusual but I really need this handled before my next meeting. I appreciate you taking care of it.”

Why it works: Authority pressure combined with a channel change. You don’t want to say no to the CEO, and once you’re texting, the conversation is outside your company’s systems. Nobody else can see it, which means nobody can intervene.

The tell: Executives don’t buy gift cards through individual employees via text message. The move to a personal channel is the biggest red flag — it removes corporate visibility. And gift cards are essentially untraceable cash once the codes are sent.

---

Type 2: “We Changed Our Bank” (vendor invoice fraud)

In 2024, Johnson County Schools in Tennessee received an email purportedly from Pearson, their textbook publisher, requesting updated banking details for an existing contract. The invoice looked correct — right logo, right amounts, right project references. A finance employee processed it. Two wire transfers totaling $3.36 million in state education funds were sent to accounts controlled by scammers. Less than $750,000 was recovered.

The pattern: An email arrives from a vendor you actually work with, often in an existing email thread about a real project. The invoice looks perfect. Only the bank account number has changed — and changing bank accounts is a normal business occurrence.

Why it works: Everything is familiar. The thread is real, the people are real, the project is real, the amounts match. You’ve paid this vendor before. The human brain doesn’t flag a routine-looking update in a familiar context.

The tell: There may not be one visible in the email itself. If the vendor’s email account was compromised, the message comes from their real address and passes all authentication checks. This is why the defense must be procedural, not observational — you can’t spot your way out of this one.

---

Type 3: “Update My Direct Deposit” (payroll redirect)

The pattern: An email arrives in HR from an employee’s real email address, requesting a direct deposit change.

“Hi, I recently switched banks. Can you update my direct deposit to the new routing and account number below? I’d like it effective for the next pay period. Thanks!”

If the employee’s email account was compromised, this message passes every check. It comes from their verified address. The request is routine — people change banks. The next paycheck goes to the attacker.

Why it works: Direct deposit changes are a normal, routine HR request. They happen regularly and don’t trigger alarm bells.

The tell: There may not be one in the email. The defense is process: require changes through the HR portal (Workday, ADP) with identity verification, call the employee at their phone number on file, and hold the change for one pay cycle.

---

Type 4: “Thread Hijack” (conversation injection)

In June 2024, the Town of Arlington, Massachusetts, discovered that scammers had hijacked a legitimate email thread about a construction project. The attackers, operating from inside a compromised email account, waited for invoices to arrive and then replied within the real thread with updated wire transfer instructions. Four payments totaling approximately $500,000 were redirected before anyone noticed.

The pattern: The attacker compromises someone’s email account, reads ongoing conversations, identifies threads involving payments, and waits for the right moment. Then they reply within the thread — using the real account, referencing the real project, naming the right people, citing the correct amounts — with one change: updated payment details.

Why it works: This is the most convincing BEC type. The attacker has been reading the real conversation for days or weeks. They know the project name, the milestone amounts, the timing, the people involved. They’re replying inside a thread you’ve been participating in.

The tell: The only reliable defense is to verify any payment detail change through a separate channel. The email itself is indistinguishable from a legitimate update.

---

Type 5: “Text Me Instead” (dual-channel)

The pattern: The attack starts on email to establish authority — “I’m the CEO,” “I’m the CFO,” “I’m a board member.” Then it immediately moves the conversation to a personal channel: text, WhatsApp, Signal, personal email.

Email: “I need to discuss something confidential with you. Can you text me at [personal number]? Don’t mention this to anyone yet.”

Why it works: The personal channel provides zero corporate monitoring. No audit trail, no security tools, no ability for anyone to see or intervene. The “don’t mention this” instruction isolates the target further.

The tell: There is almost no legitimate reason for a senior leader to ask you to text their personal phone for a financial transaction. The request to change channels IS the attack. The secrecy instruction IS the attack. If the request were legitimate, it could happen through normal business channels.