Attack-type guide

How to Prevent Business Email Compromise in Accounts Payable

Business Email Compromise — BEC — is the highest-loss cybercrime category tracked by the FBI. In 2024, BEC attacks resulted in over $2.8 billion in documented losses in the United States alone. And the defining characteristic of BEC isn't technical sophistication. It's the manipulation of people and processes that finance teams rely on every day.

Understanding how BEC works in AP environments — and where it can actually be stopped — is the first step toward preventing it.

What Business Email Compromise Actually Is

BEC is a social engineering attack that uses email to manipulate an organization into making an unauthorized payment. The attacker doesn't need to hack your systems. They need to control an email channel your AP team trusts, and use it to redirect a payment.

The attack takes two primary forms:

Email spoofing. The attacker creates an email address that appears, at a glance, to belong to a trusted party — a vendor, an executive, a client. `invoices@acme-supply.com` becomes `invoices@acme-supplys.com` — one extra letter, invisible in a busy inbox. The attacker sends a payment instruction from the spoofed address. The AP team sees a familiar name and complies.

Account compromise. The attacker gains actual access to a real email account — a vendor's inbox, an executive's email, a finance team member's account — and sends fraudulent payment instructions from a legitimate address. Because the email is authentic, no spam filter or spoofing detection catches it. The payment instruction is indistinguishable from a legitimate one.

How BEC Targets AP Specifically

BEC attacks on AP teams follow a consistent pattern:

1. Reconnaissance. The attacker identifies a target company, maps its vendor relationships and payment flows, and identifies the AP team members who process payments.

2. Position. The attacker establishes a trusted email position — either by compromising an account or creating a convincing spoof.

3. The request. A payment instruction arrives that matches an expected payment scenario: a vendor updating banking details before a payment run, an executive requesting an urgent wire, a new supplier submitting first invoice details.

4. Approval. Because the request appears legitimate and matches normal AP patterns, it's processed. The wire or ACH clears before anyone questions it.

Why Standard Controls Don't Stop BEC

Email security tools (spam filters, domain authentication, phishing detection) catch spoofed emails inconsistently and miss account compromise attacks entirely. A BEC email from a legitimately compromised vendor account will pass every email security check.

Approval workflows verify that the payment was authorized. They don't verify that the authorization request was genuine. A dual-approval workflow where both approvers review the same fraudulent invoice doesn't catch the fraud — it just adds a second person who was also deceived.

Call-back procedures work when they use independently verified phone numbers. They fail when staff call the number provided in the fraudulent email — which is controlled by the attacker.

How Vantirs Stops BEC-Triggered Payments

Vantirs operates at the payment destination layer — the one control that BEC cannot bypass. Even if a fraudulent payment instruction passes every email security, approval workflow, and human review check, Vantirs catches it at execution by verifying that the destination bank account matches the verified record for that vendor.

Payment destination verification: Every wire or ACH is checked against Vantirs' fraud signal database and your verified vendor registry before funds release.

Bank account change quarantine: Any instruction to change a vendor's payment details — regardless of how legitimate it appears — is held for independent verification before it can redirect a payment.

BEC pattern detection: Payment requests that match known BEC patterns — new payee, executive instruction, urgent framing, amount anomalies — trigger enhanced review workflows automatically.

BEC cannot be fully stopped at the email layer. It can be stopped at the payment layer.

Stop BEC before it reaches your bank account.

Book a demo → — see how Vantirs catches BEC-triggered payments in real time.