Business email compromise (BEC) is one of the most financially damaging cyber threats facing small and mid-sized businesses today. It almost never triggers a spam filter. Unlike phishing emails loaded with suspicious links or attachments, BEC attacks are designed to look exactly like the legitimate communications your team receives every day. That's what makes them so dangerous and so difficult to catch before the damage is done.
For businesses in the Detroit metro area and across Southeast Michigan, understanding how these attacks work is the first step toward stopping them.
Business email compromise is a targeted attack in which a cybercriminal impersonates a trusted person, a company executive, a vendor, a colleague, or even the business owner, to manipulate an employee into taking a harmful action. That action is usually one of three things: wiring money to a fraudulent account, sharing sensitive credentials, or changing payment routing information.
The FBI has consistently ranked BEC among the top causes of corporate financial loss, with reported losses running into the billions annually. The actual number is almost certainly higher, since many incidents go unreported.
Most cyberattacks rely on malware, malicious links, or suspicious file attachments. BEC does none of that. The email typically contains no links, no attachments, and no code. It is plain text, and it reads like something your CEO or CFO would actually write.
Attackers spend time studying their targets. They review company websites, LinkedIn profiles, press releases, and social media to understand the organizational structure and internal communication style. By the time they send the email, they know who your executives are, how they communicate, and which employees have authority to move money or access accounts.
Spam filters and antivirus tools are built to catch technical threats. BEC sidesteps that entirely. There is nothing malicious to scan. The email looks clean because, from a technical standpoint, it often is clean.
The attack exploits human psychology: specifically, the tendency to follow instructions from authority figures, especially when those instructions convey a sense of urgency. "I need you to process this wire transfer before end of day" is a message that gets acted on before it gets questioned.
Some BEC attacks use email spoofing techniques that make the sender's address appear legitimate. Others register lookalike domains, swapping a letter, adding a hyphen, or using a different top-level domain. An email from "
In more advanced cases, the attacker has already gained access to a legitimate email account. When a message comes from a company address associated with an actual employee, there is no visual cue that anything is wrong.
Account takeover is a growing component of BEC. An attacker gains access to a real business email account—often through a phishing attack or credential stuffing—and then uses that account to conduct the BEC campaign. The emails come from a verified, trusted address. They pass authentication checks. They have a real email history.
For employees receiving those emails, there is no red flag. They are responding to their manager, their vendor, or their accountant. Except they are not.
BEC attackers are patient and strategic. They often send fraudulent requests during periods of high activity, like before a holiday, during a merger, at quarter-end, or when the executive being impersonated is known to be traveling. When an urgent request arrives while a senior leader is out of the office, the instinct to verify competes directly with the pressure to act quickly and avoid bothering a busy executive.
BEC attacks are not random. Attackers identify specific employees based on their roles and access. Finance team members who handle accounts payable, HR staff who manage payroll, and executive assistants who communicate directly with leadership are all high-value targets. Business owners at small and mid-sized companies are frequently impersonated because they have authority and are often less shielded by internal verification processes.
For Michigan businesses that work with out-of-state vendors or clients, wire transfers are routine, which makes fraudulent wire requests seem less unusual than they should be.
Technical controls matter. Email authentication protocols like DMARC, DKIM, and SPF make it harder for attackers to spoof your domain. Multi-factor authentication on email accounts reduces the risk of account takeover. Advanced email filtering tools that analyze sender behavior, not just content, can flag anomalies before they reach an inbox.
That said, technology alone is not enough. BEC is fundamentally a social engineering attack, which means the human layer has to be hardened, too. Employees need to know what BEC looks like and understand that verifying a wire request by phone is not an insult to the requestor, it is standard procedure.
The businesses in Southeast Michigan that avoid BEC losses are the ones that have both in place: the right technical safeguards and a culture where verification is expected, not questioned.
XFER works with businesses across Livonia, Detroit, and Southeast Michigan to assess email security gaps, implement authentication protocols, and train employees on how to recognize and respond to social engineering attempts. If your current email environment has not been evaluated for BEC risk, it is worth having that conversation.
Learn more about XFER's email security services or contact us directly to schedule a consultation.
About the author
Our cybersecurity risk assessment will reveal hidden problems, security vulnerabilities, and other issues lurking on your network.
Learn more about what XFER can do for your business.
XFER Communications, Inc.
31478 Industrial Road Suite 200
Livonia, Michigan 48150