Business Email Compromise Warning Signs
How to spot BEC patterns in invoice, wire transfer, payroll, vendor-change, crypto, and gift-card requests.
BEC imitates trust
Business Email Compromise usually works because the message appears to come from a trusted executive, employee, vendor, or customer. The request may be short, urgent, and framed as routine.
The goal is often to move money, change payroll details, buy gift cards, update vendor bank information, or reveal credentials. A link may be involved, but many BEC attempts rely on the message itself.
Pressure is a signal
Urgency, secrecy, and instructions to bypass normal approval are classic caution signals. Phrases like available by email only, do not call, confidential, today, or immediate should trigger a pause.
A safer process lets employees verify requests through known phone numbers or existing systems, not the contact details inside the suspicious message.
Sender identity can be confusing
Look at From, Reply-To, Return-Path, and any links in the message. A free webmail reply address for a business-looking request is not proof of fraud, but it deserves careful verification.
If the sender domain and reply-to domain differ unexpectedly, use another channel before acting.
How CheckLink helps
Use BEC Request Inspector to review the message locally, extract any URLs, and list verification steps. Use Email Header Inspector for pasted headers and request manual review when money, payroll, credentials, or vendor changes are involved.
Checklist
FAQ
Does a BEC warning prove fraud?
No. It means the request needs verification through a trusted channel.
Should employees be allowed to slow down urgent requests?
Yes. A clear verification policy is one of the simplest BEC defenses.
Related guides
Related glossary terms
Further reading
Use CheckLink before the next click
CheckLink provides risk signals and review paths. It does not guarantee that a website is risk-free.