// Blog / Guide

How to stop business email compromise: a small business playbook

Share

Business email compromise is not flashy. There is no malware, no locked screen, no ransom note. There is just an email asking someone to move money, and money that quietly moves. It is the costliest single fraud hitting Canadian small businesses, and it is almost entirely preventable.

This is the defensive playbook: what the scam is, why small businesses get hit hardest, the controls that actually stop it, and what to do in the first hour if a payment has already gone out.

What business email compromise actually is

Business email compromise, or BEC, is a scam that uses a trusted email account, real or faked, to trick someone into sending a payment or changing where a payment goes. The attacker does not break your firewall. They exploit your process and your trust. The common variants all look mundane on purpose:

  • The CEO request. A message that appears to come from the owner or a director asks an employee to urgently pay an invoice or buy gift cards, usually while the "boss" is conveniently unreachable.
  • The supplier swap. A real or spoofed supplier emails to say their banking details have changed, so the next invoice you pay lands in the attacker's account.
  • The payroll diversion. A message posing as an employee asks HR or payroll to update their direct-deposit details to a new account.
  • The compromised mailbox. The attacker has actually logged into a real account, reads the email history, and inserts themselves into a genuine payment thread at exactly the right moment.

Why small businesses get hit hardest

The dollars are not small. In Canada, the Anti-Fraud Centre logged a record $704 million in reported fraud in 2025, with more than $40 million of that tied to spear phishing, the category BEC falls under, and the CAFC estimates only 5 to 10 percent of fraud is ever reported, so the real total is far higher. In the United States, the FBI's Internet Crime Complaint Center tied about US$2.8 billion in 2024 losses to BEC, roughly 17 percent of all reported cybercrime losses that year, making it one of the costliest categories by dollars lost.

Small businesses are squarely in the crosshairs because they rarely have the controls larger firms do: one person often requests and approves payments, there is no formal process to change vendor banking details, and staff are inclined to act fast on a message that looks like it came from the boss. Newer AI tools make the impersonation sharper still, cleaning up the grammar and even cloning a voice, as we covered in our note on AI deepfake fraud. The scam works on people and process, which is exactly why technology alone will not fix it.

The controls that stop it

You do not need an enterprise budget to shut down most BEC. You need a handful of habits and settings, in roughly this order of impact:

  • Verify every payment or banking change out of band. This is the single most effective control. Before you send a payment to a new account, or change existing details, confirm it by calling a known phone number, one you already have, not a number from the email. Never act on the email alone. A 60-second phone call defeats almost every version of this scam.
  • Put phishing-resistant MFA on email. Most BEC starts with a hijacked mailbox. Multi-factor authentication, ideally passkeys or security keys rather than text-message codes, blocks the account takeover that makes the worst version possible.
  • Harden your email domain with SPF, DKIM, and DMARC. These records stop attackers from spoofing your own domain to your staff, customers, and suppliers. You can check where you stand in minutes with our free Email Security Checker, and build the records with our SPF & DMARC Generator.
  • Build simple payment controls. Require a second person to approve payments over a set amount, and make changing a vendor's banking details a defined step that always includes a call-back. Separating who requests a payment from who approves it removes the single point of failure.
  • Train the team on this specific scam. People should know the pattern and feel safe pausing to verify, even when the request looks like it is from the owner. A short, regular session works better than an annual slideshow; see our guide to phishing training for small teams.

The warning signs to teach everyone

Most BEC messages carry the same tells. Anyone who touches money should be able to spot them:

  • Urgency and pressure to act before you can think or check.
  • Secrecy, such as "don't call me, I'm in a meeting" or "keep this confidential for now."
  • A new or changed bank account, especially at the last minute on an invoice you were already expecting.
  • A reply-to address or domain that is slightly off, a letter swapped or an extra word added.
  • A break from the normal process, a request that skips the usual approvals.
// Free 2-minute quiz

How strong are your defenses?

Fourteen quick questions to gauge where your overall security posture stands today, from email and identity to backups and response.

Take the quiz

If it has already happened

Speed matters more than anything in the first hour, because a wire or transfer can sometimes be recalled if you move fast:

  • Call your bank immediately and ask them to attempt a recall of the payment. The sooner you call, the better the odds.
  • Report it to the Canadian Anti-Fraud Centre and your local police. Reporting also helps the recovery of funds that are still in transit.
  • Lock down the mailbox. If an account was compromised, reset the password, sign out all sessions, turn on MFA, and check for sneaky inbox rules the attacker may have added to hide their replies.
  • Preserve the evidence and figure out what happened, then close the gap. If personal information was exposed, our guide to data breach notification walks through your obligations.

Sources:Canadian Anti-Fraud CentreFBI Internet Crime Complaint Center, 2024 Internet Crime Report

Want the controls that stop payment fraud built in as standard?

Talk to us

Related