What actually happens during a business email compromise attack?
Business email compromise works by exploiting trust, not technology. An attacker impersonates a senior executive or a known supplier, sends a carefully timed email to someone with financial authority, and waits. No malware. No brute force. Just a convincing message and an apparent deadline.
LimitedView's analysis across 847 organisations shows that BEC is the incident type most frequently preceded by a long gap in relevant employee training. The attack succeeds because the person receiving the email has no recent frame of reference for what a suspicious request actually looks like in their specific role and organisation.
The preparation that attackers put in is rarely appreciated. They spend days researching. LinkedIn shows them reporting structures. Public announcements tell them when leadership is travelling. They time the request for a Friday afternoon when the approval chain shortens and urgency feels routine. The email arrives using the right language, referencing a real project or an upcoming deadline. The employee does not recognise it as a threat because nothing in their training ever resembled this.
Why do employees fall for requests from names they recognise?
They fall for it because the email does not appear to come from a stranger. It appears to come from the CFO, a long-standing supplier, or a colleague who is "on a flight and can't take calls." The psychological mechanics are well established. Humans extend trust to familiar names and familiar contexts. Generic phishing training does not prepare employees for targeted impersonation of people they work with every day.
LimitedView's incident data shows that in cases where employees successfully identified and escalated a BEC attempt, 71% had received training connected to a related security event within the previous 60 days. Not annual training. Not a compliance module delivered in January. Training that tied to something real they had recently heard about, delivered when threat awareness was naturally elevated.
Employees who had only their annual compliance training behind them flagged BEC attempts at a rate that offers no meaningful protection.
What does an organisation face once funds have moved?
Fast and painful. The first call is usually to the bank, not the security team. Finance raises the alarm, often hours after the transfer completes, when a legitimate invoice arrives for an amount apparently already paid. The recovery window for bank transfers is narrow. Most organisations find that once funds clear through overseas accounts, they are not recovered.
The security response then focuses on containment and scope. Was the executive's email account compromised? Has a mail forwarding rule been silently exfiltrating correspondence for weeks? Has the attacker been inside the environment reading exchanges, learning names, understanding deal flow? Frequently the answer to all three is yes, and the breach predates the fraudulent transfer by a significant margin.
What follows is a detailed forensic review covering email authentication records, login history, connected systems, and anything that might have been accessed or exfiltrated during the dwell period. The transaction is often the last thing that happened, not the first.
How should training respond after a BEC incident?
Within 48 hours of containment, and with specificity. Not a generic fraud awareness module. A targeted session for finance, procurement, and anyone with payment authority that walks through exactly what happened at the organisation, what the warning signs were, and what the correct escalation path looks like.
LimitedView's data from 650,000 employees shows that this incident-triggered approach produces 73% knowledge retention at 90 days. Annual training at the same interval produces 12%. The content is not the differentiating variable. The timing and the relevance to something the employee knows actually happened are.
The other change that matters is procedural. Most BEC attacks succeed because a single email can authorise a payment. Dual authorisation requirements, out-of-band verification for payments above a threshold, and a confirmed callback process for new or changed supplier bank details address the structural vulnerability. Training cannot substitute for process controls. It can, however, determine whether those controls get followed when it matters.
Who inside an organisation carries the highest BEC exposure?
Finance, accounts payable, HR, and anyone with access to bank account records or payroll systems. New employees are overrepresented in BEC incidents. They are more likely to defer to apparent seniority, less likely to question an urgent executive request, and less familiar with the informal verification habits that longer-serving colleagues have built over time.
Organisations that map BEC exposure by role and tenure, and target training accordingly, see measurable reductions in incident rates. The method is not complicated: identify who holds payment authority or access to sensitive financial data, check when they last received relevant training, and close the gap before an attacker identifies it for you.
Attackers are patient. They will wait until the right person is in the right seat on the right day. The job of a security programme is to make sure that combination never works in their favour.
