Business Email Compromise: What 2024–2025 BEC Incident Data Reveals About Your Inbox
Business email compromise is usually framed as a financial crime — wire fraud, invoice manipulation, CEO impersonation. That framing is accurate but dangerously incomplete. The most consequential pattern in 2024 and 2025 incident data is not direct theft from the breached organization. It is the silent re-use of a compromised small business inbox as trusted relay infrastructure — a staging ground from which threat actors defraud that company’s clients and vendors while the breached business has no idea it’s happening. Most small and mid-sized businesses are not structured to detect it.
- The Relay Pattern: What Attackers Are Actually Doing
- What 2024–2025 Incident Data Shows
- Why Small Business Accounts Are the Preferred Relay
- The Supply Chain Lens: A Different Risk Model
- Real-World Scenarios That Match the Pattern
- The Detection Gap Most Organizations Cannot Close Alone
- Defense Posture: What Actually Works
- What to Ask Your IT Firm Right Now
The Relay Pattern: What Attackers Are Actually Doing
The standard business email compromise story goes like this: attacker gets into an executive’s inbox, monitors conversations, and at the right moment substitutes fraudulent wire instructions. The breached company loses money directly. That model still exists — but it is one tier of a more sophisticated operation.
In the relay pattern, the breached inbox is not the target. It is the weapon. After gaining access, the threat actor does not immediately execute financial fraud against the breached company. Instead, they spend days or weeks in passive reconnaissance: reading email threads, mapping vendor relationships, identifying clients awaiting invoices, learning the company’s communication cadence, tone, and typical transaction sizes.
Once that intelligence is gathered, the compromised account sends highly credible fraudulent communications outward — to the victim company’s trusted contacts. Because those messages originate from a legitimate, established email domain with a real sending history, they clear spam filters, pass basic authentication checks, and carry the social weight of an existing business relationship. The breached small business becomes an unwitting participant in fraud against its own network.
What 2024–2025 Incident Data Shows About Business Email Compromise

The FBI’s Internet Crime Complaint Center (IC3) 2024 Internet Crime Report recorded adjusted losses from business email compromise exceeding $2.77 billion — the single highest-loss category for the fourth consecutive year. That figure almost certainly understates the problem. It captures only reported incidents, and the relay pattern described here is particularly likely to go unreported by the breached company, which may never know its account was misused at all.
CISA’s 2024 advisory activity documented a persistent pattern of threat actors targeting small professional services firms — accounting, legal, consulting, logistics — specifically because of their position as trusted intermediaries within larger supply chains. The advisory library published by CISA includes multiple joint advisories with the FBI describing this lateral trust exploitation in explicit terms.
Microsoft’s 2024 Digital Defense Report found that attackers dwell in compromised email environments for an average of 72 hours before taking any visible action — and in some observed campaigns, passive access lasted weeks. That dwell time is not idle. It is intelligence-gathering that makes downstream relay fraud nearly indistinguishable from legitimate correspondence.
Secureworks and Mandiant incident response data published in late 2024 separately documented clusters of business email compromise cases where the initially breached organization suffered no direct financial loss — and in several cases only discovered the compromise when a downstream victim traced fraudulent wire instructions back to their legitimate vendor’s email address.
Why Small Business Accounts Are the Preferred Relay
Large enterprise email environments are increasingly hardened. Behavioral detection, conditional access policies, anomalous sign-in alerting, and dedicated security operations make enterprise inboxes harder to abuse silently over extended periods. Small businesses typically have none of these controls at comparable depth.
More importantly, small business email carries a trust premium that attackers understand well. A mid-sized manufacturer receiving an “updated ACH information” email from their 12-person accounting firm of 15 years is far less likely to apply skepticism than if the same message arrived from an unfamiliar sender. The established relationship is the attack surface.
Several structural factors make small business accounts attractive relay nodes for business email compromise operations:
- Email authentication standards (SPF, DKIM, DMARC) are inconsistently implemented — many small business domains pass basic authentication without policies strict enough to prevent spoofing or flag anomalous sending behavior.
- Mailbox access logging is rarely reviewed, meaning a threat actor operating within normal business hours can read and send email without triggering any alert.
- Multi-factor authentication adoption among small businesses remains below 40% for email accounts according to Microsoft’s 2024 Security Signals research, making initial account takeover substantially easier.
- Small businesses rarely conduct email forensics after a suspected incident — the absence of investigation means relay activity frequently goes undiscovered indefinitely.
The Supply Chain Lens: A Different Risk Model
The conventional risk model for business email compromise asks: “How do we prevent attackers from stealing from us directly?” The supply chain lens asks a harder question: “If our email environment were compromised today, what damage could be done to the organizations that trust us — and would we even know?”
This reframing exposes a category of liability most small businesses have not considered. When a threat actor uses your compromised email account to defraud your client of $200,000, the reputational and legal consequences for your business can be severe even if you were the victim, not the perpetrator. Clients who lose money through fraud originating from your domain will ask — reasonably — what security practices you had in place.
In professional services, this exposure is acute. An accounting firm whose email account redirects a client’s tax payment. A staffing agency whose compromised inbox substitutes payroll account details. A logistics broker whose trusted vendor relationship is used to redirect a freight payment. In each scenario the breached business faces client loss, potential litigation, and reputational damage that dwarfs any direct financial loss they might have suffered themselves.
This is supply chain risk in the most practical sense — and it lives entirely inside the email layer.
Real-World Scenarios That Match the Business Email Compromise Pattern
The following scenarios are composites drawn from publicly documented incident types and industry incident response reports. They show how the relay pattern manifests across different small business contexts:
- A seven-person professional consulting firm’s email is compromised via a phished credential. The attacker spends 11 days reading threads before sending a client a revised invoice with updated wire instructions. The client pays. The consulting firm only discovers the compromise when the client calls asking about the overdue invoice — weeks later.
- A small commercial real estate brokerage has its principal’s inbox silently accessed. The attacker monitors a pending lease transaction, then sends updated escrow wiring instructions to the tenant’s attorney at the precise moment the real transaction closes. The attorney’s firm wires six figures to the attacker’s account. The brokerage is never directly defrauded.
- A regional distributor’s accounts payable email is compromised. The attacker uses it to contact several of the distributor’s own vendors, requesting updated banking details “for our new payment system.” Three vendors update their records. The distributor unknowingly pays the attacker instead of its vendors for two full billing cycles before the discrepancy surfaces.
- A nonprofit’s executive director email is accessed. The attacker uses it to contact a major foundation grant contact, requesting that a forthcoming grant disbursement be redirected to a “new operational account.” The foundation, trusting the relationship, processes the redirect.
The Detection Gap Most Organizations Cannot Close Alone
The core problem with the relay pattern is that it exploits the same signals that make email useful: trust, relationship history, and familiar communication patterns. Standard spam filtering is useless against messages originating from a legitimately compromised account with a clean sending history. Standard user training is insufficient when the message arrives from a real contact’s real address.
Detection requires looking at behavioral signals that most small business email environments never instrument:
- Sign-in events from unfamiliar IP ranges, networks, or geographies — especially access from residential proxy services or anonymizing infrastructure that mimics legitimate user locations.
- Inbox rule creation events, particularly rules that forward copies of incoming email to external addresses or automatically delete messages matching specific keywords (a classic attacker housekeeping behavior).
- Sending volume anomalies or unusual recipient patterns that deviate from historical norms for a given account.
- Mail client or device identifiers that do not match the account holder’s known equipment.
- Access during hours inconsistent with the user’s typical work patterns.
None of these signals are visible without tooling that surfaces them, and none are actionable without someone reviewing them. This is where the gap between “we have Microsoft 365” and “we have a managed email security posture” becomes consequential. Owning the platform is not the same as operating it with security discipline.
For organizations that want to understand where their email environment stands against these specific business email compromise risks, our cybersecurity practice works through exactly these instrumentation and monitoring questions. You can also review our broader managed IT services to understand how ongoing monitoring closes the gap between platform ownership and genuine security posture.
Defense Posture: What Actually Works Against Business Email Compromise
The defense posture for this threat pattern is not exotic. It is disciplined execution of controls that are well understood but inconsistently deployed at the small business level.
Multi-factor authentication on every email account, without exception. A compromised password without a second factor is a fully open door. Authenticator app-based multi-factor authentication — not SMS, which is phishable — eliminates the vast majority of credential-based account takeover attempts that initiate business email compromise. Microsoft’s own data shows it blocks more than 99% of automated credential attacks.
DMARC enforcement at the reject policy level. Most small business email domains have SPF and DKIM records but leave DMARC at the monitoring-only policy (“p=none”). That configuration generates reports but blocks nothing. Moving to “p=reject” closes the primary spoofing vector. This is a configuration change, not a purchase — but it requires someone to own the change and monitor the transition carefully to avoid disrupting legitimate mail flows.
Mailbox audit logging enabled and retained. Microsoft 365 does not enable full mailbox audit logging by default for all license tiers. Without it, there is no forensic record of who accessed an inbox, when, from where, and what they did. Enabling and retaining this logging is a prerequisite for any meaningful incident investigation.
Inbox rule monitoring. Automated alerting on new inbox rule creation — particularly rules that involve forwarding or deletion — catches a specific attacker behavior that appears in a large proportion of documented business email compromise cases. It is a low-noise, high-signal alert.
Out-of-band verification for financial instruction changes. No change to wire instructions, ACH details, or banking information should ever be processed based solely on an email request — regardless of how trusted the sender appears. A brief phone call to a known number (not one provided in the email itself) eliminates the financial execution layer of this attack entirely.
Periodic access reviews. Reviewing which devices, applications, and delegated accounts have active access to email environments surfaces unauthorized persistent access that may have survived a password change. The CISA advisory library provides current guidance on access review practices recommended for small and mid-sized organizations.
What to Ask Your IT Firm Right Now
If your organization uses email as a primary channel for financial or operational coordination with clients and vendors, your IT firm should be able to answer these questions without hesitation:
- Is DMARC enforcement set to “p=reject” or “p=quarantine” on every email domain we own, including any legacy or subsidiary domains?
- Is mailbox audit logging enabled and retained for all accounts, and for how long?
- Do we have alerting on inbox rule creation events, and who reviews those alerts?
- What does our sign-in anomaly detection look like, and when was the last time it surfaced an alert that was investigated?
- Have we ever reviewed our email environment for signs of historical silent access — forwarding rules we did not create, delegated access grants we do not recognize, connected applications we did not authorize?
- Do we have a documented process for employees to follow when they receive a request to change financial instructions from a known vendor or client?
If any of those questions produce a long pause, an “I think so,” or a “we’d have to check,” that is a signal worth acting on. The relay pattern described in this post is specifically designed to be invisible until the damage is done. The window to find it is before the event, not after.
Business email compromise has matured beyond simple phishing and wire fraud. It now operates as a supply chain exploitation model, using trusted small business identities as disposable infrastructure. Organizations that treat email security as a one-time configuration task will continue to serve — unknowingly — as the attacker’s most credible asset.
If you want a direct conversation about where your email environment stands, Book a Free Cybersecurity Strategy Call. It’s 20 minutes with our team — no pressure, no obligation.
Get a Second Opinion
Sometimes the best thing you can do for your business is have someone outside your current vendor relationship take a fresh look. That’s what a strategy call gives you — 20 focused minutes with our team and a no-strings-attached read on what we’d recommend.