← Blog

Business email compromise: how one fake email reroutes a real payment

Tenant Strike4 min read

Business email compromise doesn't need malware or movie-style hacking. It just needs a believable email at the right moment — and it's targeting small businesses more than any other size.

Imagine your accounts-payable person gets an email from a supplier you've worked with for years. The name is right, the thread looks familiar, the tone is normal. The email says: "We've updated our banking details — please use the new account for this month's payment."

The payment goes out. Two weeks later the real supplier asks where the money is. It's gone.

That's business email compromise, or BEC. No malware, no ransomware, no movie-style hacking. Just a well-timed email and a wire transfer.

How it works

The attack comes in two main forms, and both work because they look legitimate.

In the first, an attacker gets access to a real email account — usually through a phished password or a reused one found in a data breach. They don't announce themselves. They watch. They read emails, learn the payment workflows, identify who approves transfers and who processes them, and wait for the right invoice or vendor conversation. Then they step in at exactly the right moment with updated bank details.

In the second form, the attacker doesn't need to break in at all. They register a look-alike domain — something like acme-corp.co instead of acme-corp.com — and send the fraudulent email from there. The display name shows up correctly in most email clients. The sender address is wrong by one character, easy to miss.

What makes both versions dangerous is that no antivirus catches it. There's no malicious file, no suspicious link. It's just a normal-looking email asking you to do something you'd do anyway.

Who gets targeted

In a small business, the list is short: the owner, the person who handles accounts payable, and whoever has signing authority on the bank. Often that's one or two people.

Attackers know this. A 20-person business is in some ways a simpler target than a large company. There's no multi-layer approval process, no dedicated finance fraud team, no internal control that requires two people to authorize a new payee. The owner says go, and it goes.

The amounts vary — sometimes a few thousand, sometimes the entire wire — but the FBI consistently reports BEC as one of the highest-dollar cybercrime categories, and small businesses make up a significant share of victims.

What actually stops it

A few practical defenses matter here. None of them require a security team.

Verify bank-detail changes by phone. When any supplier, contractor, or internal person says payment details have changed, call them back on a number you already have on file — not a number included in the email. This one habit stops the attack most of the time.

Turn on MFA for every mailbox. If an attacker can't log in and read your email, the silent-watcher version of BEC never gets started. Multi-factor authentication — the code-or-app prompt after a password — is the main thing that stops unauthorized mailbox access.

Flag external senders. Microsoft 365 can add a small banner to emails coming from outside your organization. It won't catch the look-alike domain every time, but it prompts people to slow down before acting.

Check for forwarding rules. When an attacker does get into a mailbox, they often set up a quiet rule that copies every incoming email to an external address — so they keep seeing your conversations even after a password reset. These rules are easy to miss and worth checking periodically.

Brief your team on the pattern. The person most likely to see the fraudulent email is the one handling payments. They should know: changed bank details always get a voice call before the payment goes anywhere.

The thing to take away

BEC succeeds because it exploits process, not technology. Fixing it is mostly a matter of one clear rule — call to verify before you pay a new account — and keeping the underlying email accounts secure.

An attacker sitting in a mailbox, watching your invoice threads, is harder to spot than a virus. Tenant Strike checks your Microsoft 365 in read-only mode for the signs: unexpected forwarding rules, accounts without MFA, and related settings that make silent access easier. A five-minute scan won't replace the phone-call rule, but it tells you whether the mailboxes themselves are locked down.

AI-researched from public sources. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.