Business email compromise is the highest-dollar cybercrime affecting Florida small businesses — not ransomware. BEC requires no malware, no technical breach, no sophisticated hacking. It requires an email, a convincing pretext, and an employee who follows payment instructions without verification. Florida's concentration of real estate closings, law firm wire transfers, and healthcare billing makes the state one of the top BEC targets nationally. Understanding exactly how each variant works is the first step to stopping it.
$140M+
BEC losses reported by FL businesses 2025
$137K
Average loss per BEC incident
0
Malware required — BEC is pure social engineering
62%
Of BEC starts with a compromised email account
The 4 BEC Variants Florida Businesses Face
01
CEO / executive impersonation
An email appearing to come from the business owner or a senior executive asks an employee — typically accounts payable or an office manager — to process an urgent wire transfer or purchase gift cards for a client. The email is often sent from a lookalike domain or from a free email account. The urgency, the authority of the apparent sender, and the instruction not to discuss the matter create psychological pressure to act without verification. This variant requires no technical access — only a convincing domain and a publicly available email address.
02
Vendor / supplier impersonation
An email appearing to come from a known vendor notifies the business that their banking information has changed and that future payments should go to a new account. The email may be a domain spoof of the real vendor, or it may come from a compromised vendor email account. The business processes the next payment to the attacker-controlled account — often without realizing anything is wrong until the vendor follows up about the missed payment weeks later.
03
Real estate wire fraud
Attackers monitor email communications between buyers, sellers, real estate agents, title companies, and law firms to intercept closing instructions. When wire instructions are sent by email, the attacker intercepts or spoofs the communication and substitutes attacker-controlled account details. The victim wires closing funds — which can be hundreds of thousands of dollars — to the wrong account. This variant is endemic in Florida given the state's real estate transaction volume.
04
Payroll diversion
An employee or someone impersonating an employee contacts HR or payroll with a request to change direct deposit information before the next payroll cycle. If the request is processed without identity verification, the next payroll deposits into the attacker-controlled account. This variant is especially effective against businesses using email-based HR processes without a separate identity verification step for banking changes.
Technical Controls That Stop BEC
- MFA on all email accounts — blocks credential-based account takeover. Attackers operating from inside a compromised inbox are far more convincing and far harder to detect than external spoofers.
- Email authentication (SPF, DKIM, DMARC reject) — prevents lookalike domains and your own domain from being spoofed. A business without DMARC enforcement is allowing anyone to send email that appears to come from their domain.
- Email filtering with impersonation detection — flags emails where the display name claims to be an executive but the sending domain does not match. Microsoft Defender for Office 365 includes impersonation protection rules specifically for this pattern.
- Out-of-band verification procedure — the process control that no technical tool can replace: any change to payment information must be verbally confirmed by phone call to a previously verified number before execution. Document this procedure and enforce it without exceptions.
// Did You Know?
When an attacker compromises a business email account, one of the first things they do is create an inbox rule that automatically deletes emails from certain senders or moves them to obscure folders. This hides their activity from the legitimate account owner. Checking for unexpected inbox rules — in Outlook settings and in the Microsoft 365 admin center — is one of the fastest ways to identify an active account compromise before a fraudulent transfer occurs.
// Key Takeaway
BEC is stopped by the combination of MFA on email accounts, DMARC enforcement on your domain, impersonation detection in your email filter, and a documented payment verification procedure that does not allow email alone to authorize a wire transfer. Simply IT implements and manages all four for North Central Florida businesses — and produces the audit documentation that cyber insurance carriers require when a BEC claim is filed.
Get a Free Email Security Assessment →