table of contents
One bad email can move six figures before anyone slows down. For finance teams, business email compromise training can’t live in a once-a-year slide deck.
The latest FBI IC3 reporting tied BEC to $2.77 billion in losses in 2024, across more than 21,000 complaints. Why does this still work? Because attackers study real finance habits, then hide inside them. The fix starts where the risk lives, inside payment approvals, vendor changes, and urgent executive requests.
Why finance workflows attract BEC attackers
Finance staff sit near the money, so attackers study their routines. The FBI keeps warning that business email compromise scams rely on trust, urgency, and impersonation, not flashy malware. For AP, AR, treasury, and controllers, that matters because normal work already includes invoices, remittance updates, wires, and exception handling. As AFP notes for treasury professionals, payment teams remain a top target because they can move funds fast.

Unlike broad phishing, BEC feels tailored. It often looks like a real thread, a known vendor, or a senior leader in a rush. Think of it like a forged signature on a blank check. The message may look simple, but the authority behind it seems real.
Three scenarios show up again and again:
- Fake executive wire request: A message asks for a same-day transfer before a board meeting or market close.
- Vendor bank-change fraud: A supplier “updates” remittance details, then the next payment goes to the attacker.
- Accounts receivable reroute: A customer receives false payment instructions and sends funds to the wrong account.
Each scenario pushes staff to move fast and skip the callback. That’s why training has to do more than teach suspicion. It must teach the next move. Staff need to verify requests with known contact details from the vendor master, ERP, or internal directory, never the email itself. They also need clear separation of duties, so no one person can create, approve, and release a payment. Dual authorization adds another brake when pressure is high.
The red flags and controls staff should rehearse
Most BEC losses happen when a strange request looks normal enough. Training works best when teams practice spotting patterns, then follow the right control without debate. Tone matters less now because AI helps attackers write clean emails. Your team needs a short memory aid they can use under pressure.

Use this checklist during training and near payment desks:
- Urgency: “Do this in the next hour” or “I can’t take calls.”
- Secrecy: Pressure to keep a payment quiet or bypass a manager.
- Changed details: New bank data, new beneficiary, or a new reply-to address.
- Near-match domains: One swapped letter, extra word, or different country domain.
- Process avoidance: Requests to skip the portal, ticket, or approval chain.
A short BEC red flags guide from UMB can help reinforce those patterns between formal sessions. Still, red flags only matter when they trigger a control.
If bank details change, require callback verification to a trusted number already on file. Don’t use the number in the email signature. If the payment is high-value or out of pattern, use dual authorization with an independent second reviewer. For new vendors or account changes, require a defined payment-change approval procedure, with procurement or vendor management involved when needed. If the message claims executive urgency, staff need an urgent-request escalation path, who to call, how to log it, and when to loop in security.
If an email asks you to bypass process, the process is the answer.
That line matters because it gives finance staff permission to slow down. Good training makes that pause feel normal, not risky.
Building a training program that changes behavior
A one-time awareness session fades fast. Good business email compromise training uses the exact workflows your team handles each week. Pull examples from prior attempts and fresh business email compromise examples so staff can practice on messages that look close to home.

Start with five steps:
- Map high-risk actions: List wires, ACH releases, vendor master changes, payroll updates, refunds, and remittance changes. Then rank them by loss size and frequency.
- Write role-based scenarios: AP needs vendor-change drills. Treasury needs wire and cash movement drills. AR needs fake customer payment-redirection cases.
- Train the control path: Show the callback script, approval record, and escalation route. People move faster when the safe path is obvious.
- Run short drills often: Quarterly simulations beat one long annual session. Add short huddles between them, especially after a real attempt.
- Measure behavior, not attendance: Track callback completion, rejected payment changes, reported suspicious emails, and time to escalate.
Keep the training close to daily work. For example, show a fake vendor-change email, then have staff complete the real callback and approval steps inside a tabletop drill. Include phone-based follow-up scams too, because attackers often pair email with voicemail or a second call. Cover collaboration tools as well, since fake executive requests now show up outside the inbox.
Pair training with basic guardrails, such as strong MFA on finance and executive accounts, email authentication, and mailbox monitoring. Still, tools don’t approve payments, people do. That’s why the strongest programs coach teams on habits, not only on awareness.
One bad email can still move real money, but a trained team can stop it before the funds leave the account. The strongest defense isn’t instinct alone. It’s a repeatable process that finance staff trust and practice.
Review your wire, vendor-change, and approval workflows this quarter. Then train on the exceptions, because attackers live in the exceptions.


