The FBI's IC3 reports tell a story that the security industry has been slow to repeat clearly. Ransomware losses, while severe per incident, account for a fraction of the dollars stolen each year from US businesses. Business email compromise — BEC — accounts for an order of magnitude more.
In FY 2024, IC3 documented $2.9 billion in ransomware-attributed losses. It documented $6.8 billion in BEC-attributed losses in the same year. The gap is consistent year over year. Ransomware is louder. BEC is more expensive.
Most SMB and mid-market security programs are still optimized for the noisy threat. The math says they should be optimized for the quiet one.
What BEC actually is
BEC is not phishing in the conventional sense. There is no malicious attachment. There is no malicious link. There is, often, no payload at all — just text, written carefully, sent from a domain that looks legitimate.
The patterns:
The vendor invoice diversion. An attacker compromises the email account of a vendor your company already pays. They wait. They watch the invoice cycle. They send a courteous email from the vendor's real account: "We've updated our banking details. Please use the attached W-9 and updated ACH information for the next payment cycle." The W-9 is real. The ACH details point to a mule account. The first time anyone notices is when the real vendor calls and asks where their money is. That payment is gone.
The CEO wire request. The attacker registers a domain one character off from yours — compamy.com instead of company.com — and sends an email from [email protected] to your CFO. Late Friday. Quiet. "I'm in a meeting and need a $48,000 wire sent before close of business for the Henderson acquisition. Routing details below. Don't loop in legal, this is still confidential." The CFO wires it. By Monday morning, the funds have moved through four banks and are in an Eastern European exchange.
The payroll redirect. The attacker compromises an HR account or impersonates an employee. They submit an apparently-routine direct-deposit change form. The next payroll cycle deposits into the attacker's account. The employee notices two weeks later when their paycheck doesn't arrive. The money is unrecoverable.
The legal-pretext data extraction. The attacker compromises an outside-counsel email account or impersonates one. They request a list of all employee tax documents "for the M&A due diligence team." HR sends them. The data is then used for tax-return fraud at scale.
Notice what these patterns have in common: no malicious software, no exploit, no technical vulnerability. The attack vector is human trust in a business process, mediated through email.
Why email security has the best ROI of any control
The math is straightforward.
A competent email security stack — anti-spoofing (SPF, DKIM, DMARC enforcement), advanced threat protection (sandboxing, link rewriting), and impersonation detection (display-name policies, look-alike domain detection) — costs an SMB between $4 and $12 per mailbox per month. For a 50-person company, that's $2,400 to $7,200 per year.
The average loss from a successful BEC incident is, per IC3, $137,000.
A single avoided incident pays for the control for somewhere between 19 and 57 years. No other security control has this ratio. EDR is excellent. MDR is excellent. Both are vastly more expensive than email security per dollar of risk reduced. The order of operations for any security program with finite budget is: get email security right first, then add the rest.
Most SMB programs do this in the wrong order. They buy EDR because the conversation about ransomware is loud, while their inbound email is still on Microsoft 365 defaults that allow display-name spoofing.
What "email security done right" actually means
Three layers, in order of importance:
Layer 1: Authenticate your outbound and reject unauthenticated inbound.
This is SPF, DKIM, and DMARC. Most organizations have SPF and DKIM published but DMARC set to p=none, which monitors but does not enforce. Set DMARC to p=reject for your domain. Do it after a 30-day monitoring period so you understand what would have been rejected. Then enforce.
For your inbound mailflow, configure the mail platform to reject mail that fails sender authentication. Microsoft 365 calls this "Anti-Spoofing." Google Workspace calls it "Authentication enforcement." Both default to permissive. Both should be set to strict.
This single change — published, enforced DMARC plus strict inbound authentication — eliminates a meaningful fraction of impersonation attempts at the protocol level, before they reach a user's inbox.
Layer 2: Detection and impersonation defenses.
A modern email security product — Microsoft Defender for Office, Proofpoint, Mimecast, Abnormal, Sublime, IRONSCALES, several others — adds:
- Look-alike domain detection (
compamy.comflagged when impersonatingcompany.com) - Display-name policy (an email from
CEO Daniel Ramossent from[email protected]is flagged) - Sandboxing of attachments and URL rewriting
- Behavioral analysis (this CFO has never received a wire request from this sender before)
- Sender-domain age scoring (a domain registered yesterday gets quarantined)
The vendor matters less than the configuration. Most products have all the right features and are deployed with most of them off. Read the configuration guide. Turn the features on. Tune for two weeks. Measure false-positive rate and tune again.
Layer 3: The process discipline that no software replaces.
The technical controls reduce the attack surface. They do not eliminate it. The remaining attacks succeed when a human acts on an email without verifying through a second channel. The discipline:
- Vendor banking changes require voice verification to a known number, not a number in the email. No exceptions, including for vendors you know personally. This is the single highest-impact policy an SMB can adopt.
- Wire transfers above a threshold require dual control — a second signer who is not the original requester. The threshold should be low enough that the attacker cannot find a request below it. $1,000 for most SMBs.
- HR changes for direct deposit require a phone call to the employee's known number, not the number in the request form. Even if the form looks legitimate. Especially if it looks legitimate.
- Legal data requests outside the normal channel require verification to the attorney's known direct line. Outside counsel does not request employee tax data via email.
These policies feel paranoid. They are not. They are the difference between a $137,000 wire and a 60-second phone call.
Where teams cut corners and lose
The single most common gap: the company has bought email security, but never set DMARC enforcement. They published the record, monitored for three months, never moved past p=none. The control is paid for and not turned on. The attacker walks through the door that the receptionist forgot to lock.
The second most common gap: the verification process exists in writing but does not exist in muscle memory. The CFO has signed off on the policy but has never actually been asked to make the call. When the request comes in at 4:50pm Friday, the policy is invisible and the wire goes out.
The mitigation for both is the same. Run drills. A quarterly phishing simulation that includes a wire-pretext scenario. A semiannual tabletop where the CFO has to walk through what they would do. The controls work when they have been rehearsed.
The honest counsel
Email security is the highest-ROI security investment available to most SMBs. The math is not close. The reason it gets underinvested is that ransomware has better marketing — it is dramatic, it makes the news, the vendor pitches are vivid. BEC is quiet, embarrassing, and rarely talked about publicly because the victim was tricked rather than attacked.
The Zen of TPM extends to security. The discipline is in the boring controls that get done deliberately, not the exciting ones that get bought hastily.
Set DMARC to reject. Turn on impersonation detection. Require a phone call before any banking change. The first time those three controls would have caught an incident, they will have paid for every minute of effort.