Business Email Compromise: How It Works and How to Stop It
Imagine receiving an email from your CEO asking you to urgently wire $47,000 to a new supplier. The email address looks right, the tone sounds like them, and they mention a project you’re actively working on. You process the transfer — and then find out your CEO never sent that message. By the time you realise what happened, the money is gone.
This is business email compromise (BEC), and it is one of the most financially damaging cybercrimes targeting Canadian businesses today. In 2025 alone, the FBI’s Internet Crime Complaint Centre recorded over $3 billion in verified losses from BEC — and that figure captures only reported incidents. Across Canada, the Canadian Anti-Fraud Centre has tracked hundreds of millions in losses, with small and mid-sized businesses in Ontario accounting for a significant share.
What Is Business Email Compromise?
Business email compromise is a targeted scam in which attackers impersonate a trusted person — your CEO, a supplier, a lawyer, or a colleague — and manipulate someone in your organisation into transferring money or sharing sensitive information. Unlike mass phishing attacks that blast out thousands of generic emails, BEC is highly personalised. Attackers research your business, learn names and job titles, understand ongoing projects, and craft convincing emails that feel completely routine.
There are several common variations. In CEO fraud, attackers impersonate an executive and pressure a finance employee to make an urgent payment. In vendor impersonation, they compromise or spoof a supplier’s email and send updated banking details for legitimate invoices. In payroll diversion, they pose as an employee and ask HR to update their direct deposit information. Each variation exploits trust and urgency — the two ingredients most likely to bypass careful thinking.
By mid-2024, an estimated 40% of BEC phishing emails were AI-generated, meaning attackers can now produce highly polished, grammatically perfect messages at scale. The days of catching fraud by spotting broken English are largely over.
Why Ontario Small Businesses Are Prime Targets
It is tempting to think that sophisticated email fraud only goes after large enterprises with millions sitting in the bank. The reality is the opposite. Organisations with fewer than 1,000 employees face a 70% weekly probability of experiencing at least one BEC attempt. Small businesses in the GTA are attractive targets for several reasons.
First, smaller teams mean shorter approval chains. A request to process an urgent payment often only needs one person to say yes. Second, many Ontario SMBs lack the formal financial controls — dual-approval requirements, out-of-band verification procedures — that make BEC harder to pull off in larger organisations. Third, smaller IT teams mean less monitoring and slower detection. Attackers know they have more time to operate undetected.
There is also a supply chain dimension. A 2024 breach of a major Canadian managed services platform affected over 1,200 small businesses across Ontario and Quebec in a single incident. When a trusted vendor’s email account is compromised, the fraudulent invoice that arrives looks indistinguishable from a legitimate one.
How Attackers Pull It Off
Understanding the mechanics makes it easier to defend against. Most BEC campaigns begin weeks before any fraudulent email is sent. Attackers harvest information from LinkedIn, your company website, press releases, and social media. They learn who handles payments, who the executives are, and what projects are in flight.
In many cases, they gain access to a real email account — either yours or a supplier’s — through a phishing attack or compromised credentials. Once inside, they read email history, learn communication patterns, and sometimes forward copies of all incoming mail to themselves. Then they either send from the compromised account directly, or register a spoofed domain that looks nearly identical (think wiseteach.ca instead of wisetech.ca).
The fraudulent request is timed carefully: sent on a Friday afternoon, before a holiday, or while a key approver is known to be travelling. Urgency is manufactured (“the deal closes today”), authority is invoked (“the CEO needs this done immediately”), and secrecy is requested (“please keep this confidential until the deal is announced”). These pressure tactics are deliberate — they are designed to short-circuit your normal verification instincts.
The Warning Signs to Recognise
Even well-crafted BEC emails leave clues when you know what to look for. Urgent requests for wire transfers or changes to banking information should always trigger scepticism, regardless of who appears to be asking. Pay close attention to the actual reply-to address, not just the display name — these frequently differ in spoofed emails.
Requests that bypass normal process are a major red flag. If your CEO has never contacted you directly about a wire transfer before, why are they doing it now? Legitimate executives rarely ask employees to skip normal approval steps or keep financial transactions secret from finance teams.
Grammar and formatting can still sometimes signal a problem, though AI has eroded this as a reliable filter. More telling are slight changes in tone, unusual urgency in someone who is normally measured, or requests referencing details that feel slightly off. Trust your instincts — if something feels wrong, it probably is.
How to Protect Your Business
The single most effective control against BEC is a simple one: verbal verification. Any request to transfer funds, change banking information, or redirect payroll should be confirmed by phone using a number you already have on file — not a number provided in the suspicious email. This one step would prevent the vast majority of successful BEC attacks.
Beyond that, multi-factor authentication (MFA) on all email accounts is non-negotiable. If an attacker cannot access your CEO’s inbox even with the stolen password, they lose one of their most powerful tools. Microsoft 365 and Google Workspace both support MFA, and it takes less than an hour to enable for your entire organisation.
Email filtering and anti-spoofing protocols — specifically DMARC, DKIM, and SPF records on your domain — make it significantly harder for attackers to impersonate your email addresses. Many Ontario businesses have never configured these settings. A managed IT provider can audit your current configuration and close these gaps.
Financial controls matter too. Implement a dual-approval requirement for any wire transfer above a defined threshold. Establish a written policy that banking changes from vendors must be confirmed via phone before the first payment to the new account is processed. These are not burdensome procedures — they are the same controls a bank would recommend.
Staff training is the final piece. Your team needs to understand what BEC looks like and feel empowered to pause and verify rather than acting under pressure. Regular cybersecurity awareness training and simulated phishing exercises build the muscle memory to catch these attacks before they succeed.
If You Have Already Been Targeted
If you suspect a BEC attack has occurred, speed is critical. Contact your bank immediately — financial institutions can sometimes reverse fraudulent wire transfers if caught within 72 hours. Report the incident to the Canadian Anti-Fraud Centre (1-888-495-8501) and your local police. Document everything: the original emails, transfer records, and any communication with the attacker.
Do not assume the incident is over once the money moves. Attackers who successfully compromise an email account often maintain persistent access for months. Have your IT team or a cybersecurity specialist conduct a thorough review of your email environment to ensure the intrusion is fully contained.
BEC is not going away — attacks grew 15% in 2025, and AI-assisted campaigns will only make them harder to detect. The businesses that protect themselves are the ones that combine the right technical controls with clear policies and an informed team. If you are not sure where your organisation stands, a free IT assessment is a practical place to start.
Related Posts
Published by WiseTech Team
May 16, 2026
Have Questions About Your Business IT?
Book a free assessment with WiseTech — personalised advice for your Mississauga business, no obligation.
Book Your Free Assessment