Learn

Business email compromise: warning signs in the message itself

Business email compromise is the polite name for a simple move: a criminal either takes over a real business mailbox or impersonates one closely, then asks someone to move money or data. The asks are mundane by design, an updated invoice, new bank details, a gift-card errand for the boss, an urgent confidential transfer. Year after year, this category produces some of the largest reported losses of any online crime, precisely because the messages contain nothing that looks suspicious.

The writing won't warn you. The message's own records often will.

What the records can show

Every email carries a technical history written by the mail servers that handled it, independent of what the sender typed. Three pieces matter most.

Authentication results record whether the message actually came from the domain it claims. Receiving servers check the sender's published records, the standards called SPF, DKIM, and DMARC, and log pass or fail. A message from your vendor's domain that fails those checks deserves a phone call, not a reply.

Sender alignment compares the address you see against the addresses doing the work underneath: where the message came from and where replies will go. The classic impostor move keeps the display name and visible address right while a reply-to field redirects answers to a lookalike domain, one letter off, or a free mailbox. You answer the real-looking address; the criminal receives it.

The delivery route lists every server the message passed through with timestamps. A message claiming to come from the company down the street that originated on the far side of the world, or from a consumer mail service, is telling you its real story.

Reading the signs without being an admin

None of this requires reading raw headers by hand. Save the message as a .eml file, the format mail apps use for a complete message with its records intact, and run it through a checker that reports the route, the alignment, and the authentication results in plain language. What you want is a clear statement of whether the message's claims and its records agree, with the evidence listed.

Pair the technical read with the two process rules that defeat most BEC regardless of sophistication: money movements and credential requests get confirmed by voice at a known number, and changes to payment details are always treated as unverified, no matter how routine the thread feels.

The compromised-mailbox case

The hardest variant comes from a mailbox that genuinely was taken over: the records can look right because the criminal is sending from the real account. Even then, signs accumulate, replies redirected to an outside address, sending times inconsistent with the person, a delivery route touching unfamiliar infrastructure. And the voice-confirmation rule catches what the records cannot, which is why the routine uses both.

FAQ

What does BEC actually stand for, and is it the same as phishing?

Business email compromise. It overlaps with phishing but differs in precision: phishing blasts generic lures broadly, while BEC targets specific businesses and transactions, often from inside real threads, and asks for money rather than clicks.

If a message passes SPF, DKIM, and DMARC, is it safe?

Passing means the message genuinely came from the domain it claims, which rules out one large class of impostors. It cannot rule out a compromised real account or a registered lookalike domain with valid records of its own. Authentication results are strong evidence, weighed alongside alignment, route, and the voice check.

What should an employee do with a suspicious request?

Stop, keep the message, and verify by voice at a number from the directory rather than the email. Save the message as a .eml file so its records stay intact for review, and report it internally even if it turns out clean; patterns across attempts are how teams spot a campaign.