Business Email Compromise: How BEC Works and How to Stop It

An email arrives from the CEO: urgent wire transfer, new bank account, do not discuss with anyone. The address looks right, the tone matches, the request isn't odd enough to question. Two days later the money is gone — and the CEO never sent that message.

Business Email Compromise (BEC) is one of the highest-yield fraud categories targeting organizations. No malware, no exploit — just a convincing email and a process that moves faster than anyone stops to verify. This post covers how each major BEC variant works, why it's effective, and where identity infrastructure stops it.

Key takeaways

• BEC is social-engineering fraud: attackers impersonate or compromise a trusted email identity to redirect money or data.
• The four main variants — CEO fraud, vendor/invoice fraud, payroll diversion, and account compromise — share one mechanism: they abuse an established trust relationship to bypass normal controls.
• The attack succeeds when there's no second signal to verify the request. Email alone is not enough.
• Didit closes the gaps with Email Verification ($0.03) to catch suspicious sender addresses, identity checks and KYB to authenticate payees and vendors before they're paid, and Transaction Monitoring to flag anomalous payments in real time.
• The cost of a single missed BEC payment dwarfs the cost of every check combined.

What is Business Email Compromise?

BEC is fraud in which an attacker uses a legitimate-looking email — by spoofing an address, registering a lookalike domain, or taking over a real account — to deceive an employee into transferring money, changing payment details, or disclosing credentials.

The defining feature is that it doesn't attack systems; it attacks people and processes. There's no payload to scan, no signature to match. A well-crafted BEC email passes every spam filter because, to the filter, it is a normal email.

The main attack types

CEO fraud (executive impersonation)

The attacker impersonates a senior executive — CEO, CFO, general counsel — and emails finance with an urgent, confidential request to wire funds to a new account. The urgency and secrecy are deliberate: they stop the target from running the request past anyone. The sender is usually a lookalike domain (company-corp.com instead of company.com) or a compromised genuine account, and the content is often researched from the target's name and the executive's schedule.

Vendor and invoice fraud

The attacker impersonates a known supplier and tells accounts payable that the vendor's bank account has changed, redirecting the next payment to the new account. It's effective because changing bank details is a routine event, not an unusual request. The fraud surfaces only when the real vendor chases the overdue invoice.

Payroll diversion

The attacker impersonates an employee and asks HR or payroll to change their direct-deposit details before the next run. The target is the internal payroll processor, so the transaction looks legitimate until the employee reports a missing salary.

Account compromise (ATO-enabled BEC)

Here the attacker doesn't spoof — they own. A real account (often finance or procurement) is taken over via credential phishing or stuffing, and BEC requests come from the genuine address. This is the hardest variant to catch, because every authentication signal says the sender is legitimate.

Why BEC is so costly

Wire transfers are often irreversible within the recall window, so by the time the legitimate party follows up the money has moved on. Trust is pre-established — the request comes from your CEO, supplier, or employee, so verification feels unnecessary. Urgency and confidentiality suppress the controls that would catch it, and lookalike domains cost a few dollars to register. With a plausible display name, most recipients never look past it.

How Didit helps

BEC exploits gaps in identity verification at three points in the payment chain: when a vendor is onboarded, when payee details change, and when a transaction executes. Didit's modules address all three.

Email Verification — catch suspicious senders before trust is extended

Didit's Email Verification module ($0.03 per check) runs OTP send-and-check plus a risk-signal layer in under two seconds. For BEC, the risk signals matter most:

• Breach exposure — the address appears in known data breaches, suggesting it may be compromised or harvested
• Disposable-provider detection — a temporary or throwaway domain, consistent with an account created for the attack
• Deliverability — the address doesn't accept email, so the "vendor" can send but never receive replies
• Domain reputation — the domain is new, flagged, or shows lookalike characteristics

Warning codes returned: BREACHED_EMAIL, DISPOSABLE_EMAIL, UNDELIVERABLE_EMAIL, DUPLICATED_EMAIL. You configure whether each triggers approve, review, or decline in the Business Console. For vendor or payee onboarding, setting DISPOSABLE_EMAIL and UNDELIVERABLE_EMAIL to force-review is a low-effort, high-signal catch. Run it when onboarding a vendor, registering a payee, or processing a banking-detail change — not just at signup.

Identity verification — confirm the requester is who they claim to be

For payroll diversion and internal account-change requests, a verification session adds an irrefutable second signal: requiring a short identity check confirms the person at the keyboard is the enrolled employee.

The KYC core flow (ID Verification + Passive Liveness + Face Match 1:1 + IP/Device Analysis) runs at $0.33 per session. Didit's SDKs cover Web, iOS, Android, React Native, and Flutter, so you can embed it in your HR or payroll portal with a single API call and read the result via webhook or the decision endpoint. The device signal helps too: if the session runs from a device or IP never associated with that employee, DUPLICATED_DEVICE_FINGERPRINT or EXPECTED_IP_ADDRESS_MISMATCH will fire.

Business Verification (KYB) — validate vendors before the first payment

Vendor invoice fraud works because new suppliers are sometimes onboarded on trust — an email, a signed PDF, a phone call. Business Verification (KYB, from $2.00) closes that gap with a programmatic chain:

• Registry lookup — confirms the company exists and is active in its jurisdiction
• UBO extraction and officer data — surfaces who actually controls the entity
• Entity AML screening — checks the business and principals against 1,300+ sanctions, PEP, and adverse-media lists
• Linked KYC sessions — each UBO can be pushed through a full individual identity check, closing the loop between entity and human

A vendor with a newly registered company, an undeliverable email, and no registry presence is exactly the profile BEC operators create. KYB surfaces that before the first invoice is paid.

Transaction Monitoring — flag anomalous payments in real time

Even with strong onboarding controls, BEC can hijack an existing relationship: an attacker who compromises a real vendor's email requests a banking-detail change on a real account. The vendor is real, the invoice is real — only the destination has changed.

Transaction Monitoring ($0.02 per transaction) catches the behavioral anomaly: a payment to an account the vendor has never used, an amount outside its historical range, or a sudden change in frequency. The rule engine ships 11 seeded bundles covering velocity, amount, counterparty, and geography, and you can layer custom rules on top. Matches enter case management for human review, and an AWAITING_USER auto-remediation loop can gate lower-risk payments on the originating user completing an identity re-verification before they proceed.

Use cases

Accounts payable — vendor onboarding and banking-detail changes

Run Email Verification + KYB when adding a new vendor or changing payment details. A disposable domain or registry miss stops the fraudulent vendor before any payment.

HR and payroll — employee payroll-account changes

Require a KYC step whenever an employee changes direct-deposit details. Biometric + liveness confirms the employee is present; device and IP signals confirm the session originates from a known context.

Finance operations — outbound wire monitoring

Run Transaction Monitoring on outbound flows. Flag first-time counterparties, payments above historical thresholds, and accounts added recently, and route them to a reviewer before execution.

Platform and marketplace payouts

If your product disburses funds to businesses or freelancers, BEC-style fraud is a platform-level risk. KYB on business payees and Email Verification at signup are baseline controls.

How to integrate with Didit

All checks run inside a Didit verification session. Create a session with the workflow that includes the modules you need (Email Verification, KYC, KYB, Transaction Monitoring), then read the decision via webhook or the decision endpoint.

curl -X POST 'https://verification.didit.me/v3/session/' \
  -H 'x-api-key: YOUR_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{
    "workflow_id": "YOUR_WORKFLOW_ID",
    "vendor_data": "vendor-onboarding-456",
    "callback": "https://yourapp.com/webhook"
  }'

curl 'https://verification.didit.me/v3/session/{sessionId}/decision/' \
  -H 'x-api-key: YOUR_API_KEY'

Full reference: Email Verification · KYB · Transaction Monitoring · data models.

Frequently asked questions

What makes BEC different from ordinary phishing?

Phishing typically steals credentials by tricking a user into entering them somewhere. BEC skips that step — it uses a trusted-looking email to manipulate the target into wiring money or changing bank details directly. No credentials need to be stolen; the attack succeeds if the target simply complies.

How does Email Verification help if the attacker uses a real account they've compromised?

For account-compromise variants, the breach-exposure signal is most relevant: if the address appears in known breach datasets, that's an indicator the account may have been taken over. Deliverability and domain-reputation signals help with lookalike domains. Account compromise is the hardest variant to catch on the address alone — which is why pairing email checks with behavioral transaction monitoring matters.

At what point should KYB be required for a new vendor?

Before the first payment. The cost of running KYB (from $2.00 per entity) is negligible relative to a fraudulent wire. At minimum, trigger KYB whenever a new payee is added or existing payee banking details change.

Does Didit cover businesses outside the EU and US?

Yes. Business Verification covers registries across 220+ countries and territories, AML screening covers 1,300+ global lists, and Transaction Monitoring handles fiat and crypto. Didit is the only identity provider formally attested by an EU member-state government (Spain's Tesoro / Banco de España / SEPBLAC) as safer than in-person verification.

Ready to get started?

BEC is a process problem as much as a technology one — but the right technology makes the process controls viable at scale. Didit's email verification, identity checks, KYB, and transaction monitoring compose into the exact workflow your onboarding and payment flows require.

• Learn the modules → Email Verification · KYB · Transaction Monitoring
• Check the price → didit.me/pricing — Email Verification $0.03, KYB from $2.00, Transaction Monitoring $0.02/txn
• Start free → business.didit.me — 500 free verifications/month, no minimums