December 30, 2025 Threats 9 min read

Business Email Compromise (BEC): Canada's Most Costly Cyber Threat

By Cybersecurity Canada Editorial Team | Published December 30, 2025

Ransomware gets the headlines. Phishing gets the training modules. But the single most financially damaging form of cybercrime — year after year — is business email compromise.

The FBI's Internet Crime Complaint Center (IC3) reported that BEC attacks accounted for $2.9 billion USD in reported losses in 2023 alone — more than any other category of cybercrime, including ransomware. The Canadian Anti-Fraud Centre has consistently identified BEC as one of the top fraud threats to Canadian businesses, with individual losses often reaching hundreds of thousands of dollars per incident.

What makes BEC so effective — and so dangerous — is that it doesn't rely on technical exploits. There's no malware to detect. No software vulnerability to patch. BEC works by impersonating someone the victim trusts and manipulating them into transferring money, sharing sensitive data, or changing payment details.

How BEC Works

A business email compromise attack typically follows a pattern:

Step 1: Reconnaissance

The attacker researches the target organization. They study the company's website, LinkedIn profiles, and public records to understand the organizational structure — who reports to whom, who handles finances, who approves payments, and what vendors the company works with. This research phase can take days or weeks.

Step 2: Impersonation

The attacker either compromises a legitimate email account (through phishing or credential theft) or creates a convincing lookalike email address. Common impersonation tactics include:

• Compromised accounts — The attacker gains access to an actual employee's email account, often because the account wasn't protected by MFA. Emails sent from a compromised account are particularly dangerous because they come from a trusted, legitimate address.
• Lookalike domains — Registering a domain that looks nearly identical to the target's domain (e.g., "yourcompany.ca" vs. "yourcompany.co" or "your-company.ca")
• Display name spoofing — Setting the sender display name to match a trusted person while using a different underlying email address. On mobile devices, many email clients show only the display name, hiding the actual address.

Step 3: The Request

The attacker sends a message crafted to trigger a specific action — usually a financial transaction. The request is designed to feel urgent, routine, or both. Common BEC scenarios include:

CEO/Executive Fraud: An email appearing to come from the CEO or a senior executive asks an employee in finance to process an urgent wire transfer. "I need you to handle a confidential payment. I'm in meetings all day — please process this immediately and confirm when done."

Vendor Impersonation: An email appearing to come from a regular vendor notifies accounts payable that banking details have changed. "Please update our payment information to the new account below for all future invoices." The employee updates the records, and subsequent payments go to the attacker.

Payroll Diversion: An email appearing to come from an employee asks HR to update their direct deposit information. The next payroll cycle sends the employee's salary to the attacker's account.

Legal/Closing Fraud: In real estate and legal transactions, an email impersonating a lawyer, notary, or real estate agent provides fraudulent wiring instructions for a closing payment. The amounts involved are often substantial — full property purchase prices.

Why BEC Is So Effective

BEC exploits the way businesses actually work:

• Urgency is normal. Executives do send urgent requests. Vendors do change banking details. These requests don't look abnormal because they mirror legitimate business operations.
• Authority pressure works. An employee receiving a direct request from the CEO is unlikely to question it, especially when the message says "please handle this confidentially" or "don't discuss this with others yet."
• Email is trusted. Despite widespread awareness of phishing, email remains the primary channel for business communications and financial instructions. People expect to receive legitimate payment requests by email.
• Technical controls don't catch it. Because BEC emails often contain no malicious links, attachments, or malware, they bypass spam filters, anti-malware tools, and email security gateways. The message itself is the weapon.

The Canadian Impact

The Canadian Anti-Fraud Centre (CAFC) reports that BEC is among the most damaging fraud types targeting Canadian businesses. Several factors make Canadian businesses particularly exposed:

• Cross-border transactions are common. Many Canadian businesses work with US and international vendors, making international wire transfers a normal part of operations. This makes fraudulent international payment requests less likely to raise suspicion.
• Real estate transactions. Canada's active real estate market creates frequent opportunities for closing fraud. Lawyers, notaries, and real estate professionals handling trust funds are high-value targets.
• SMB vulnerability. Smaller organizations are often more exposed because they may lack segregation of duties in finance — meaning one person can both receive a payment request and execute the transfer without independent verification.

Under PIPEDA, if a BEC attack results in the exposure of personal information (employee records, customer data, financial details shared in compromised email threads), the breach notification requirements apply — adding regulatory and reputational consequences to the financial loss.

How to Protect Your Business

BEC defence is primarily procedural, not technical. While technology helps, the most effective controls are verification processes that break the attack chain.

Verification Procedures for Financial Requests

The single most effective defence against BEC is a mandatory verification step for financial transactions:

• Any request to change payment details (vendor banking information, employee direct deposit, wire instructions) must be verified through a separate communication channel — a phone call to a known number, not a number provided in the email
• Any wire transfer request above a defined threshold must be approved by two people
• Any urgent or unusual payment request from an executive must be verified verbally before processing — regardless of who it appears to come from
• Payment instructions received by email for real estate or legal closings must be confirmed by phone using contact information from existing records, not from the email itself

These procedures should be written, communicated to all relevant staff, and treated as non-negotiable. The attacker's primary tool is urgency — the procedure's primary tool is pause.

Email Security

While BEC can bypass many technical controls, several measures reduce the risk:

• Enable MFA on all email accounts. This prevents the most damaging form of BEC — where the attacker operates from inside a compromised, legitimate account. MFA is the most effective technical control against account takeover.
• Implement DMARC, DKIM, and SPF. These email authentication protocols help prevent domain spoofing. Your IT provider or MSP can configure these for your domain. They won't stop all BEC, but they make direct impersonation of your domain significantly harder.
• Enable external email warnings. Configure your email system to display a visible banner on all emails originating from outside your organization. This simple visual cue helps employees identify when an "internal" request is actually coming from an external address.
• Disable auto-forwarding rules. Attackers who compromise an email account often set up forwarding rules to monitor communications and intercept responses. Regularly audit mailbox rules for unauthorized forwarding.

Employee Training

BEC training is distinct from general phishing training and should focus on:

• Recognizing urgency and authority pressure. Train employees to treat urgent financial requests with more scrutiny, not less
• Understanding display name vs. email address. Show employees how to verify the actual sender address, especially on mobile devices
• Following verification procedures without exception. The training message is simple: "No matter who the email appears to come from — including the CEO — payment changes and wire transfers are always verified by phone."
• Reporting suspected BEC attempts. Even unsuccessful attempts should be reported because they indicate that the organization is being targeted

Specific Procedures for High-Risk Roles

Some roles are targeted more often than others. Tailor procedures for:

• Accounts payable staff — Require dual authorization for vendor banking changes and wire transfers
• HR/payroll staff — Verify all direct deposit change requests with the employee in person or by phone
• Executives — Ensure that people authorized to request payments know the verification procedures and support them, even when it means a slight delay
• Legal/real estate professionals — Verify all wiring instructions by phone using independently obtained contact information

What to Do If You're a Victim

Time matters. If you suspect a BEC attack has resulted in a fraudulent payment:

1. Contact your bank immediately. Request a recall of the wire transfer. The faster you act, the higher the chance of recovery. Some banks can initiate a hold on funds if contacted within 24-72 hours.
2. Contact the receiving bank. If you know which institution received the funds, contact them directly as well.
3. Report to the Canadian Anti-Fraud Centre at 1-888-495-8501 or online at antifraudcentre.ca
4. Report to local police. File a report with your local police service.
5. Preserve evidence. Do not delete emails, modify account settings, or alter any records related to the incident. These may be needed for investigation and recovery.
6. Notify your cyber insurer if you have cyber insurance. Many policies include social engineering coverage, but prompt notification is typically required.
7. Activate your incident response plan. Follow your incident response procedures for communication, investigation, and remediation.

If the attack involved a compromised email account, treat it as a full account compromise — reset the password, review all mailbox rules and forwarding settings, check for unauthorized access, and audit what information the attacker may have accessed.

The Baseline Controls Connection

BEC defence maps across multiple areas of the Canadian Centre for Cyber Security's Baseline Controls:

• BC.1 (Incident Response) — Having a plan for BEC incidents specifically, including who to contact and how to initiate fund recovery
• BC.4 (Secure Configuration) — Implementing DMARC/DKIM/SPF and external email warnings
• BC.5 (Authentication) — Requiring MFA on all email accounts to prevent account takeover
• BC.6 (Security Awareness) — Training employees to recognize and respond to BEC attempts

Our free assessment evaluates your organization's email security, authentication practices, and incident response readiness — all critical defences against business email compromise. It takes under 10 minutes and shows where your current posture may leave you exposed to Canada's most costly cyber threat.