Imagine receiving an SMS: “Your account will be blocked unless you confirm your identity.” Or a call from someone claiming to be your bank, urgent and insistent. What comes next could be a click, a shared OTP, or a transfer you’ll never see again. BEC (Business Email Compromise) has been around for years—institutions like Interpol, with their #BECareful campaign, have already warned of the rise of this type of fraud. But with technology and artificial intelligence, it has evolved, becoming more sophisticated and harder to detect.
According to industry analysis, attacks grew by 37% between 2024 and 2025, with an average cost of over $125,000 per incident. The strength of BEC lies in its ability to deceive users and exploit human interaction with systems that appear secure.
For banks and fintechs, this means the enemy isn’t always outside the system—sometimes it’s inside an apparently legitimate session, manipulated through a fake portal or via SMS and calls that mimic the voice of the institution.
Why Is Business Email Compromise a Threat to Financial Institutions?
BEC originated in the corporate world: fake payment orders, changes to supplier accounts, urgent instructions from executives. Today, its logic fits perfectly in the financial ecosystem: the attacker is no longer limited to email—they combine email, SMS, calls, instant messaging, and phishing pages to build a believable narrative around the institution’s brand.
The attack flow usually repeats itself in three steps:
- Real data as bait: names, positions, IBANs, or relationship patterns obtained from prior leaks or open sources.
- Authority and urgency: a message about a security review, account blockage, or regulatory change.
- Seemingly reasonable action: sharing an OTP, validating access, approving a beneficiary, or confirming an immediate transfer.
BEC poses a direct risk of fraud and erodes digital trust, precisely when banks are promoting remote operations and online journeys.
That’s why solutions like remote biometric onboarding, passwordless MFA, and behavioral biometrics are critical, they help distinguish between a genuine user and a session manipulated by an attacker.
Operational Signs That a BEC Attack Is Underway
Identifying a BEC attack in time requires observing operational patterns that, individually, might seem harmless, but together form clear signals that something is wrong. These are the most frequent:
Social Engineering
- Increase in SMS or WhatsApp messages with fake links (smishing)
- Urgent calls requesting OTPs or credentials (vishing)
Session Activity
- Anomalous logins followed by seemingly valid operations
- Device or location changes before critical operations
Transactional Behavior
- Creation of new beneficiaries followed by immediate payments
- Transactions outside the customer’s usual pattern
Attack Infrastructure
- LOTS (Living Off Trusted Sites) campaigns on legitimate platforms
- SIM swap or port-out coinciding with suspicious movements
8 Measures to Prevent BEC in Banking and Fintech
Integrating security and operational intelligence without affecting the customer experience is key. In fact, industry organizations like the FS-ISAC (Financial Services Information Sharing and Analysis Center) recommend combining shared intelligence, customer education, and stronger authentication technologies.
Many institutions are reinforcing these strategies with digital identity and biometric authentication solutions, which allow legitimate users to be confirmed and reduce fraud risk without adding unnecessary friction.
Some recommended measures include:
- Coordinated antifraud intelligence: Ongoing programs to detect campaigns and coordinated responses between financial institutions and technology providers.
- Accessible reporting channels: Systems that allow customers to report suspicious emails or SMS with a single click.
- Public catalog of official channels: Verifiable lists of domains, phone numbers, and legitimate apps.
- Collaboration with telecom operators and technology providers: Helps stop smishing and spoofing campaigns at their source.
- Multi-factor authentication (MFA): Replace vulnerable methods like SMS OTPs with more robust systems.
- Contextual analysis: Evaluate the context of each interaction before allowing sensitive actions.
- Smart friction: Apply additional checks only for critical actions, such as adding beneficiaries or making a first payment.
- User education: Simple, constant reminders for customers, such as “your bank will never ask for a code by phone” or “always verify the official channel.”
Digital Trust as the new line of defense
BEC shows that financial fraud no longer depends solely on technical vulnerabilities—it increasingly relies on exploiting user trust and manipulating digital interactions.
In an environment where payments are instant and customer relationships are increasingly digital, detecting these signs in time and applying intelligent controls becomes a strategic priority for banks and fintechs.
Technologies based on verifiable digital identity, biometric authentication, and contextual analysis of sessions help move toward this goal: protecting operations without compromising the customer experience.