Live
450,000+ new malware samples created dailyAV-TEST·Ransomware attack occurs every 11 secondsCybersecurity Ventures·43% of cyberattacks target small businessesVerizon DBIR·Average SMB breach costs $200,000IBM Cost of Data Breach Report·95% of breaches are caused by human errorIBM·Only 14% of SMBs are prepared to defend themselvesPonemon Institute·450,000+ new malware samples created dailyAV-TEST·Ransomware attack occurs every 11 secondsCybersecurity Ventures·43% of cyberattacks target small businessesVerizon DBIR·Average SMB breach costs $200,000IBM Cost of Data Breach Report·95% of breaches are caused by human errorIBM·Only 14% of SMBs are prepared to defend themselvesPonemon Institute·
KD
Kapagate Digital
Email Security4 min read

Business Email Compromise: How to Spot a Fake Invoice Before You Pay It

BEC scams cost businesses billions every year. The attack is simple, the damage is severe, and the prevention is learnable. Here are the 5 red flags every employee needs to know.

Kapagate Digital

Security Research Team

Business Email Compromise (BEC) is not a sophisticated, technical attack. There's no malware, no hacking, no system breach. It's a con — and that's exactly what makes it so effective.

In a typical BEC scam, an attacker impersonates a trusted contact — your CEO, a supplier, a lawyer handling a deal — and convinces someone in your business to transfer money to a fraudulent account. It's social engineering at its most effective — a close cousin of the phishing techniques targeting employees. The FBI reported over $2.9 billion in losses to BEC in a single year, making it the most financially damaging cybercrime category for businesses.

How BEC Attacks Work

Attackers start with reconnaissance. They research your business online — your website, LinkedIn, social media, and publicly available documents — to understand who you work with, how you communicate, and who handles finances.

Armed with this information, they craft a convincing email. It might come from a spoofed address (made to look like your CEO's email), a compromised real account (if a colleague was previously phished), or a lookalike domain (a fake domain that looks almost identical to your supplier's).

The email requests something financially damaging: redirect a payment to a new bank account, process an urgent invoice, or purchase gift cards on behalf of the CEO. The request comes with urgency, authority, and a reason not to verify through the usual channels.

The 5 Red Flags to Teach Your Team

1

The email address is slightly off

Attackers register domains that look like real ones — "company-name.co" instead of "company-name.com", or "cornpany.com" with an 'r' and 'n' that look like an 'm'. Always verify the full email domain before acting on a payment request.

2

The request came in by email only — no phone call, no prior discussion

Legitimate payment changes and urgent invoices from real suppliers are almost always accompanied by a call or a reference to a prior conversation. An unexpected email asking you to change payment details is a huge red flag.

3

There's a sense of urgency or secrecy

"Please process this today — our CFO is in meetings." "Don't mention this to anyone yet, the deal is confidential." Urgency and secrecy are psychological levers. Legitimate businesses don't ask you to rush or hide financial transactions.

4

The payment details have changed

Any request to update bank account details, change a payment method, or redirect funds to a new account should trigger an immediate phone call to a known number — not the one in the email — before any action is taken.

5

The writing style is slightly different

You've been emailing your supplier's accounts team for two years. Suddenly the tone shifts, the sign-off is different, or the language feels slightly off. Trust your instincts — and verify before you pay.

The Golden Rule: Call Before You Pay

If any payment request, invoice change, or new account detail arrives by email — regardless of who it appears to come from — call the sender on a number you already have for them before taking any action.

Do not call a number included in the suspicious email. Look up the number independently. This one habit alone stops the vast majority of BEC attacks dead in their tracks.

Protecting Your Business at the Technical Level

Beyond training, the right email security tools significantly reduce BEC risk by blocking spoofed emails, flagging external senders impersonating internal addresses, and detecting lookalike domains before emails reach your staff. Pair this with strong account security — multi-factor authentication on every mailbox — so a stolen password alone can't hand attackers the keys to your inbox.

5 Ways to Protect Your Team

  • Train all staff who handle payments to verify any new or changed payment instructions by phone
  • Use email filtering that detects domain spoofing and lookalike domains
  • Require two-person approval for any payment above a defined threshold
  • Enable multi-factor authentication on all email accounts
  • Set up internal alerts for emails received from external senders using your own company name

The Bottom Line

BEC works because it exploits trust, urgency, and the natural human desire to be helpful and efficient. The defence isn't complicated — it's a culture of verification, supported by the right technology. Train your team, establish clear payment procedures, and make sure your email is protected at the technical level.

Is Your Email Protected?

Our Email & Account Security service blocks BEC attacks before they reach your team. Get a free assessment to see where you stand.

Get Free Assessment
← Back to Security Insights