Business Email Compromise: the fraud that pretends to be your own people.
BEC: the most expensive cyber threat facing SMBs
BEC is not a technical hack. Criminals exploit trust, authority and time pressure to push employees into making payments or sharing sensitive information. With AI these attacks have become rapidly more professional: flawless language, cloned voices, simulated video calls. The traditional cues that gave fraud away no longer work.
BEC costs Dutch SMBs millions
SMBs are particularly vulnerable. Research shows that 70% of SMBs receive BEC attempts weekly, and the average loss from a successful attack is € 118,000 (FBI IC3 2024).
€ 118,000
Average loss per BEC incident. For many SMBs, an existential threat.
40%
Of all BEC phishing emails is AI-generated. Social engineering rose 135% after ChatGPT launched.
72 days
In one documented case, attackers observed for 72 days before striking. They knew every detail of pending transactions.
Known Dutch BEC cases
Source: NCSC publication BEC — Practical guidance for SMBs, April 2026.
| Organisation | Loss | Method |
|---|---|---|
| Pathé Netherlands | € 19.2 million | CEO fraud via email |
| Jewometaal Rotterdam | € 11.4 million | CEO fraud — phone + email (voice deepfake) |
| Rijksmuseum Twenthe | € 2.85 million | Invoice fraud via intercepted emails |
| Financial services firm | € 1.5 million | Bank account change |
| Elco (Helmond / Aarle-Rixtel) | € 771,760 — bankruptcy | Spoofed CEO email addresses |
At Elco, a family business disappeared because of one successful attack. The administrator called it "quite a chunk out of the trousers" — an understatement.
The five stages of a BEC attack
BEC attacks usually follow the same pattern. Knowing the pattern lets you catch the attack before the payment leaves.
- 1
Reconnaissance
LinkedIn, company website, press releases and data leaks. Who approves payments? Who works in finance?
- 2
Gain access
Phishing email with a fake login page, MFA bypass via AitM, stolen credentials from the dark web, or malware via a fake invoice.
- 3
Observe and learn
Patiently reading along in the mailbox. In one documented case for 72 days. Which invoices are pending? Who is on holiday?
- 4
The attack
An urgent CEO request, a "corrected" invoice, or a vendor who has "just" changed bank details. Timing: right before a holiday or on Friday afternoon.
- 5
Launder the money
Within hours dispersed across several countries, converted into crypto or cash. Reversal is then virtually impossible.
The attack rarely strikes out of the blue. It usually starts with a successful AiTM phishing attack that bypasses MFA, followed by weeks of silent observation. Only when the attacker knows every detail of a pending transaction does the fraudulent payment request arrive — at precisely the right moment.
AI has rewritten the rules
Until recently you spotted fraud by bad grammar and spelling. That era is over. Criminals now write flawless Dutch, clone voices, and simulate live video calls with the director.
Flawless phishing emails
ChatGPT and similar tools produce error-free Dutch, mimic the writing style of your executive, and tailor tone to the recipient.
Voice deepfakes
With seconds of audio (from a corporate YouTube video) a CEO's voice can be cloned for live use on a phone call. Jewometaal lost € 11.4 million this way.
Video deepfakes
In Hong Kong an employee joined a video call with a "CFO and colleagues". Every participant was a deepfake. Loss: € 23.7 million.
Spear-phishing at scale
Where one attacker once hit one company at a time, AI now targets hundreds in parallel with bespoke messages.
No longer works
- Relying on spelling mistakes
- Relying on language patterns
- Email verification alone
- Relying on voice recognition
Works
- Always call back via a known number
- Four-eyes principle on every payment
- Phishing-resistant MFA (FIDO2, Windows Hello)
- Verification questions only the real person can answer
How Attic stops BEC in Microsoft 365
The NCSC publication describes 19 concrete technical measures against BEC in Microsoft 365. Attic covers every stage of the attack chain — from the first phishing email to executing the remediation when someone does click.
Stop AiTM phishing at the browser
Attic FREE warns employees with a red alert screen on fake login pages and shows an authenticity seal on real Microsoft 365 pages. Prevents session-cookie and MFA-token theft — the most-used entry point to BEC.
More about FREEKeep phishing and spoofing at the door
SPF, DKIM and DMARC configured correctly. Direct Send disabled. Safe Links and Safe Attachments on. Risky attachments like .html blocked. Internal and outbound traffic is scanned for phishing markers too — not just inbound mail.
More about BOUNCER24/7 detection of what does get through
Sign-ins from unusual locations, impossible-travel, audit-log tampering, new MFA exceptions on admin accounts — our MDR catches the tactics attackers use between "inside" and "striking". Unified Audit Log on and centrally watched.
More about MDRAutomated response in seconds
If an account is taken over, Fixer steps in immediately: revoke active sessions, block external mailbox forwarding, withdraw suspicious OAuth apps, force a password reset. What normally takes hours happens in seconds — before the attacker can set a forwarding rule.
More about FIXERFor IT administrators and MSPs: the full mapping between Attic functionality and the 19 measures from the NCSC technical advice (covering 27 MITRE ATT&CK techniques) is available on request. Book a technical call →
Show all 27 ATT&CK techniques
Five questions to put to your IT provider — today
The NCSC publication lists five concrete questions to gauge whether your MSP is taking BEC seriously. We answer "yes, and here's how" to all five.
"How do you protect us against phishing and BEC attacks?"
Ask about email filters, impersonation protection and anti-spoofing.
"Do you monitor suspicious sign-in attempts?"
A stolen password should be visible in minutes, not at the next routine check.
"Is phishing-resistant MFA enabled on all accounts?"
SMS codes and standard push notifications are no longer sufficient. FIDO2 or Windows Hello are.
"How quickly are we notified of an incident?"
In BEC, every minute counts. Ask for concrete response times, not "best effort".
"Can you help us with awareness training and simulated phishing?"
Awareness depends on regular practice, not one annual e-learning.
The NCSC publication — openly available
Two documents, no form. A practical handbook for management and a worked-out technical advisory for your IT provider. Both are Dutch-language.
Practical guidance for SMBs
For entrepreneurs, managers and directors. Non-technical, directly applicable. 15 pages of practical tips, Dutch case studies and the exact red flags to watch for.
Technical advice (MITRE ATT&CK)
For IT providers and MSSPs. Full measures package per stage of the MITRE chain, with priority, impact and effort per measure. 21 pages, Microsoft 365 (Outlook) specific.
© Nationaal Cyber Security Centrum (NCSC), Dutch Ministry of Justice and Security. April 2026.
Produced via Cyclotron, with Attic Security, Orange Cyberdefense, Invictus and Tesorion.
BEC frequently asked questions
Related threats
Parts of the wider BEC attack chain.
CEO Fraud
The classic BEC variant: impersonating the executive.
Adversary-in-the-Middle
The technique attackers use to take over accounts. Bypasses MFA.
Phishing
Almost every BEC starts with phishing — the first step in the chain.
Incident Response
Need help right now? Direct line to our response team, 24/7.
Awareness is the foundation. Detection finishes the job.
The NCSC closes the publication with: "At its core, BEC protection is not about technology, but about people." We partly agree — and have built the technology for the moment a human hesitates.