Key Takeaways:
- Incidents of business email compromise (BEC) are on the rise, the majority of which result in wire fraud.
- Fraudsters are developing more sophisticated attacks and are focused on bypassing defenses like multi-factor authentication (MFA).
- Attitudes are changing among organizations following BEC attacks, with more disputes being reported between impacted companies.
- Countering BEC scams requires specific investments in technology, training, and advanced incident planning.
Businesses face an ever-changing threat landscape dotted by threat actors that use advanced technologies to generate more frequent and sophisticated attacks. As the severity of these incidents has reached the highest levels ever, more and more organizations are turning to breach coaches and privacy attorneys in the wake of malicious cyber events like ransomware attacks, business email compromise (BEC), and imposter scams. They take such measures because they know these advisors can help guide their incident response and breach notification efforts with proven knowledge and experience.
To gain insights into the latest cyber-attack trends, the TransUnion® Incident Response team recently interviewed privacy attorneys who work with cyber insurance companies. While the discussions were wide-ranging, one threat trend kept surfacing: The increasing prevalence of BEC attacks, the majority of which result in wire fraud.
With a 30% increase in BEC attacks as of March 2025, it’s important for insurance professionals to understand the risks associated with BEC scams. Following are some of the core questions, trends and insights insurers should be aware of to better protect their policyholders and their own organizations.
What is business email compromise?
BEC is a specific type of phishing scam targeting businesses. It typically involves threat actors gaining access to a legitimate email system through social engineering tactics. Once in the system, they pose as suppliers sending invoices to clients or company executives redirecting a payroll payment or requesting funds be transferred to an account. Whatever the scheme, the account the funds are directed to are fraudulent and controlled by the threat actor.
The financial impact of these scams can be significant, and the costs are climbing. In January 2025, the average BEC wire transfer requested by attackers was tracked at $24,586. That’s up 46% from just the month before ($16,799 in December 2024).
How common are BEC attacks?
Stuart Panensky, Co-Chair of the Cyber Privacy and Technology Practice Group at Pierson Ferdinand LLC, reported, “More than half of the claims that we get in as assignments are business email compromise-related. Much of the percentage of those involve wire fraud.”
John Loyal, Managing Partner at Cipriani & Werner, indicated his firm was seeing a similar pattern. “We're seeing about five to seven business email compromises a day and, of those, probably four to five involve wire fraud,” he said.
The BEC volume these attorneys report aligns with what industry observers are seeing as well. The research from one cybersecurity firm found 70% of organizations were targeted by BEC scams in the previous 12 months — and 29% of those companies were victims of one or more successful BEC attacks.
Are small businesses safe from BEC scams?
While some small to mid-sized businesses (SMBs) might think they are too small to be targeted by BEC scams, that’s actually not the case. Research shows organizations with less than 1,000 employees have a 70% probability of experiencing at least one BEC attack each week.
The financial impact of BEC attacks can also be more difficult for SMBs to absorb — and they won’t always get the assistance needed to recoup their losses.
Sara Goldstein, Partner at Baker Hostetler Law, said, “In my experience, the smaller the numbers can be harder to recover. For smaller organizations, $40,000 is a significant amount of money … [but] when it comes to law enforcement and priorities, it's not. So, these organizations really suffer from these wire transfer fraud incidents.”
Why BEC attacks rely on wire fraud
BEC attacks are particularly insidious because they exploit positive human traits like trust and familiarity. Unlike malware or ransomware attacks, BEC scams don’t require infected attachments or malicious links. They use social engineering techniques to manipulate unsuspecting employees into taking actions they don’t realize hurts the organization.
Panensky explained that it’s simply a better return on the fraudster’s investment of time than ransomware. “It takes much more work and energy to extort an organization than it is to fool them into sending money to your account,” he said.
Criminals also rely on wire transfers because when the money is paid, it cannot be retrieved. Loyal explained, “By the time you contact the bank, it says, ‘Yes, that wire went through … There's nothing we can do. We can’t reverse the wire.’ “
In these cases, the scammer walks away. For the victim, the money is gone.
What new trends are happening with BEC?
While three of the privacy attorneys who spoke with our Incident Response team noted the rise of BEC, each of them had thoughts on how the threat is evolving.
Greater sophistication
Loyal noted the increased sophistication and realism of today’s BEC attacks is making it hard for employees and companies to not fall for them.
“Back in the day, it used to be misspellings and bad sentences,” he explained. “Today, they’re using AI and putting together an email better than you or I could — more professional looking, perfect grammar. And you get a million emails throughout the course of the day, right? So now you're getting an email that's very professional looking, that's not going to give you a second thought, and you're going to click on it.”
Bypassing multifactor authentication (MFA)
Goldstein echoed Loyal’s observation about the improved sophistication of attacks. Yet she noted it extends beyond simply improving spelling and grammar, since threat actors have adapted to get around cyber defenses like MFA.
“Multifactor authentication is not the silver bullet that we all thought it was when we implemented it,” she said. “Threat actors are much more sophisticated now and their phishing emails look much more realistic. They're able to steal the session token when the victim goes to a webpage they think is legitimate and provide their account credentials. They're then able to bypass MFA, change the MFA rule, change that second factor, and then get into the account.”
She added that unfortunately, it’s difficult to prevent those types of bypass attacks from happening, so it’s important to train staff members to recognize scam emails.
Employee overload
In addition to the technical challenges of MFA bypass attacks, Loyal explained his firm is seeing a number of instances where employees confirm an authentication message when they are not trying to log in.
“We see that day in, day out: people authenticating themselves when they shouldn't be,” he said. “They get a message on the phone and hit the button to confirm, ‘Is this you?’. Well, this is you on the device, yes. But it's not you trying to log into your computer.”
Payment disputes
In addition to the incidents of wire fraud occurring because of BEC scams, Panensky said the number of disputes arising from wire fraud has been climbing as well.
If a vendor’s email system was compromised, for example, and the criminals sent a message directing the client’s regular payment to a fraudulent account, historically the vendor would be happy to put the incident in the past. But Panensky indicated that’s changing.
“It's a growing trend where companies are being a little bolder saying, ‘Wait a second. You misdirected funds that were meant for us, and we didn't get paid, so you need to pay us.’, he said. “Meanwhile, the other party's saying, ‘But we lost all this money. We can't pay you twice.’”
While companies previously may have been content to get through the process, increasingly the parties are more emboldened to push back.
How to counter BEC scams and wire fraud
Considering the ongoing BEC threat, organizations understandably want to know how they can prepare. These privacy attorneys noted above had the following recommendations.
Require MFA to access company systems
Keeping threat actors out of your email system and company network means limiting access to legitimate users. And while the privacy attorneys have seen increases in threat actors trying to bypass MFA, they all still recommend organizations have MFA in place.
Loyal likened it to having an alarm on your house as a deterrent. “Everyone knows they should have something on their house,” he said. “When they lock the door, the alarm system goes on. Same concept for multifactor authentication.”
Plan to respond to incidents
The reality is, no matter how much a company invests in cyber defenses, a committed criminal can usually find a way to break in. Incident response planning is critical because it ensures the company knows what the roles, responsibilities and mitigation steps will be when an incident occurs.
Panensky said, “We love getting to meet a client that says, ‘We're preparing incident response policies, and we would like you to help us.’ That's the best planning in the world.”
Re-evaluate payment procedures
When it comes to stopping fraudulent payments going out the door, Goldstein said the solution isn’t too complicated. She said wire transfers may be easy to pull off, “But it's also so easy to prevent it from happening. You just pick up the phone. It's back to basics in terms of training folks who are in the positions to pay invoices, making sure they pick up the phone to confirm the wire transfer information is correct.”
She added companies should also consider updating the payment instructions section of their contracts to detail the approved process for changing payment instructions, preferably excluding requests via email.
Double-down on employee training
Employee training in general was a key recommendation made by all the attorneys mentioned in this blog: educating staff members about the correct use of technologies like MFA, and training them to recognize social engineering attempts is critical to prevent BEC attacks.
Given the ever-evolving tools and techniques used by attackers, however, organizations should regularly conduct cybersecurity training and practicing the company’s incident response plan. That keeps the importance of cyber protection top of mind for all employees, and enables the organization to adjust its IR plan as needed.
Planning ahead for BEC wire transfer fraud
BEC-related wire fraud will likely continue to plague businesses of all sizes, as advances in technology make it easier for criminals to create more convincing scams and access company systems. Business leaders and their insurance partners need to work together, ensuring organizations have sufficient proactive cybersecurity and incident response protocols in place.
Has your organization experienced a BEC attack, or do you need breach notification services following a cyber incident? Contact TransUnion® Incident Response for fast, effective assistance from proven professionals.
