Ask most small-business owners what cyberattack scares them most and they’ll say “ransomware.” But the data tells a different story: the attack that drains the most money from SMBs every year doesn’t encrypt a single file. It’s Business Email Compromise (BEC) — and it’s almost entirely invisible to the email security most companies already pay for.

What BEC actually is

Business Email Compromise is an attack where a criminal impersonates a trusted party — a CEO, a vendor, a finance lead, a lawyer — over email, to trick someone into a fraudulent payment or a data disclosure. There’s usually no malware, no malicious link, no attachment. Just a convincing email that says “Can you update the wire details on that invoice?” or “I’m in a meeting, can you buy these gift cards?”

Because there’s nothing technically malicious to scan, default Microsoft 365 and Google Workspace filters routinely let BEC through. The payload is social, not technical.

Why this is the SMB attack that matters most

The numbers are stark, and they come from adjudicated insurance claims — not surveys:

  • BEC and funds-transfer fraud (FTF) together account for 58% of all cyber-insurance claims — the single biggest category by frequency, larger than ransomware. (Coalition 2026 Cyber Claims Report)
  • 52% of all funds-transfer-fraud claims originated from a BEC incident — BEC is the front door to the fraud.
  • The average funds-transfer-fraud loss is $141,000 — enough to wipe out the cash position of a 50-person company. (Coalition 2026)
  • AI-driven phishing is 3x more effective than traditional phishing, and AI-driven forgeries grew 195% year over year. (Microsoft Digital Defense Report 2025)

The trend lines are getting worse, not better, as generative AI makes impersonation cheaper and more convincing.

How a BEC attack unfolds

  1. Recon. The attacker studies your org — often using a credential already leaked on the dark web to read a real mailbox.
  2. Foothold. They quietly create an inbox rule that auto-deletes or hides their own messages, so the real employee never sees the conversation.
  3. The ask. They send a payment-change request, timed around a real invoice or a vacationing executive.
  4. The wire. Finance acts on it. By the time anyone notices, the money has moved through several accounts.

The whole attack can happen inside a single mailbox, which is exactly why endpoint tools and antivirus never see it.

How to detect and stop BEC

Stopping BEC takes layers that default filters don’t provide:

  • Behavioral inbox analysis — flagging tone, urgency, payment-change language, and lookalike domains, not just known-bad links.
  • Inbox-rule monitoring — catching the auto-hide rules attackers create on a compromised mailbox.
  • Identity context — knowing that the “CEO” is signing in from an impossible-travel location, or that their credentials were just found in a breach dump.
  • Cross-surface correlation — connecting a suspicious login (identity), a new inbox rule (email), and a leaked credential (dark web) into one incident instead of three low-priority blips.

This is exactly the gap Centeye’s Email & BEC surface fills: a dual-cloud (Microsoft 365 + Google Workspace) ML-to-LLM detection cascade that catches phishing, BEC, and account takeover, with auto-quarantine and pull-from-all-inboxes. And because Kavach correlates it with the Identity/ITDR and Dark Web surfaces, a BEC attempt riding a stolen credential becomes one incident your team can actually act on.

Want the plain-English version of these terms? See our security glossary. Ready to see detection in action? Get a demo.

Figures cited from the Coalition 2026 Cyber Claims Report and the Microsoft Digital Defense Report 2025. Centeye reports only capabilities confirmed shipped in the product.