The Online Scam That Is Costing Entrepreneurs Thousands

By /

It does not look like a scam. That is the entire point. The email arrives from a familiar address, carries the right logo, references an invoice you are actually expecting, and asks for something completely reasonable — a wire transfer, an updated payment detail, a quick authorization. And then the money is gone. Not stolen through a dramatic hack, not taken by brute force — simply transferred, voluntarily, by someone in your company who had every reason to believe the request was legitimate.

This is the online scam that is costing entrepreneurs thousands — and in many cases, tens or hundreds of thousands — of dollars every year. It goes by several names: Business Email Compromise (BEC), CEO fraud, vendor impersonation, invoice fraud. The FBI has tracked it for over a decade and calls it the most financially devastating form of cybercrime in existence. Since 2013, BEC scams have caused cumulative losses exceeding $55 billion globally. In 2023 alone, the FBI’s Internet Crime Complaint Center received 22,189 BEC complaints with losses of approximately $2.9 billion — and those are only the cases that were reported.

Small and medium-sized businesses are not bystanders to this crisis. They are the primary target. And in 2026, AI has made these attacks dramatically more convincing, more personalized, and more difficult to detect than at any previous point in history. If you run a business and have not specifically addressed this threat, the question is not whether you will be targeted — it is whether you will recognize it when it happens.

Understanding the Scam: Why It Works So Devastatingly Well

Business Email Compromise is not a technical attack in the way most people imagine cyberattacks. There is no dramatic system breach, no ransomware, no stolen files. It is a confidence trick — one engineered with extraordinary precision, patience, and an intimate understanding of how businesses actually operate.

Here is what makes it uniquely effective against entrepreneurs and small business owners:

It Exploits Your Existing Business Relationships

BEC attacks do not arrive from unknown strangers. They arrive from — or appear to arrive from — the people you already trust: your accountant, your largest supplier, your landlord, your own CEO, a client you have worked with for years. Criminals spend weeks studying their targets before striking. They analyze your website, your LinkedIn profile, your press releases, your social media, your publicly available contracts — building a detailed picture of your business relationships, your communication style, your payment processes, and your organizational hierarchy.

Armed with this intelligence, they craft emails that are contextually perfect: referencing real projects, real relationships, real invoice amounts, and real internal dynamics. Modern BEC campaigns now use real compromised email accounts to carry out fraud, because a message from a real account is most convincing. The result is a request that feels not just plausible but expected — the kind of thing you would approve without hesitation on a busy Tuesday morning.

It Weaponizes Urgency and Authority

Every successful BEC attack deploys two psychological levers simultaneously: authority and urgency. The message appears to come from someone with power — a CEO, a CFO, a senior partner, a long-standing vendor. And it carries an implicit or explicit time pressure: “I need this done before I board my flight,” “the client is waiting on this payment,” “this invoice is overdue and they’re threatening to stop services.”

The combination is calculated to suppress the verification instinct. Employees who might normally pause and double-check feel pressured to act quickly to satisfy someone important. The urgency makes caution feel like incompetence or insubordination. And so the transfer goes through.

It Targets the Moments When Verification Is Hardest

Scammers time the attack when a CEO is traveling or a finance leader is out of office, knowing that verification will be harder. An employee who would normally walk over to their manager’s desk to confirm a large wire transfer cannot do so when the manager is on a plane to a client meeting. A finance director who would normally call the vendor to confirm bank account changes cannot easily reach them when it is Friday afternoon and the payment needs to clear before the weekend.

This timing intelligence — knowing when to strike — is part of what makes BEC so effective against small businesses, where operational continuity depends on a small number of people and verification chains are shorter and more informal.

The Seven Most Devastating Scam Variants Targeting Entrepreneurs in 2026

BEC is not a single tactic but a family of related fraud schemes, each adapted to a different business vulnerability. Understanding each variant — how it operates and why it is convincing — is the first line of defense.

1. CEO Fraud / Executive Impersonation

The most classic BEC variant. A criminal impersonates your company’s CEO, owner, or senior executive — either by spoofing their email address to make it appear legitimate, or by actually compromising their email account — and sends an urgent request to someone in your finance or operations team.

The request is typically a wire transfer to an unfamiliar account, framed as a confidential acquisition, an urgent client payment, or a sensitive business matter that cannot be discussed through normal channels. The “confidentiality” framing is deliberate: it discourages the recipient from mentioning the request to colleagues who might raise questions.

Real-world consequences: Many companies, like Snapchat, have lost millions this way. Google and Facebook lost over $100 million collectively to a scammer who simply sent them invoices impersonating a real hardware supplier they used. Because the requests matched ongoing business relationships, employees did not hesitate before paying. If it can happen to the world’s largest technology companies, it can happen to a business of any size.

2. Fake Invoice Fraud / Vendor Email Compromise

This variant is the most common against small and medium-sized businesses, and it is growing fast. In 2022, a quarter of Abnormal Security customers were the target of at least one vendor email compromise attack each month. In 2023, this value increased by 50%, with nearly 40% of customers experiencing a monthly attack.

The mechanics are straightforward and devastatingly effective: criminals either compromise the email account of a vendor you regularly pay, or spoof that vendor’s domain closely enough to pass casual inspection. They then monitor your email correspondence with that vendor — sometimes for weeks — waiting for the right moment: an actual invoice is due, a payment is being discussed, a project is being invoiced for the first time.

At precisely that moment, they send a fraudulent invoice or a “payment detail update” from the vendor’s email, redirecting the payment to a criminal account. The email matches the vendor’s style, references the real project, and arrives exactly when you expect a legitimate message. A scammer poses as one of your trusted vendors and emails your accounting team a “new” invoice with “updated” bank details. The employee processes the payment — and just like that, $75,000 is gone.

3. Payroll Diversion

This variant targets your HR or payroll department rather than your finance team. A criminal — impersonating an employee, often using a compromised or spoofed email — sends a request to update their direct deposit banking information before a payroll run. The next paycheck for that employee goes directly to the criminal’s account instead.

For businesses processing payroll for dozens or hundreds of employees, the window of opportunity is wide: many legitimate employees update their banking details periodically, and the request looks entirely routine. The fraud is often not discovered until the legitimate employee notices they did not receive their pay — by which time the funds have been moved and withdrawn.

4. AI-Powered Deepfake Voice and Video Scams

This is the 2026 evolution of BEC — and it represents a quantum leap in attack sophistication. Deepfake voice scams are targeting executives, especially in US enterprises and multinational corporations. Using widely available AI tools, criminals can clone the voice of a CEO or senior executive from as little as three to five seconds of publicly available audio — a YouTube interview, a podcast appearance, a conference recording — and use that voice clone to call an employee directly.

The employee receives a phone call that sounds exactly like their CEO, asking them to authorize an urgent wire transfer. There is no email to scrutinize for a spoofed domain. There is no written text to flag as suspicious. It is just a voice — the voice of someone they know — asking for something urgent. The psychological impact is dramatically more powerful than any written communication, and the verification instinct is almost entirely suppressed.

Deepfake video is the next frontier: criminals have already used AI-generated video impersonations of executives in video calls to authorize fraudulent transactions. As the technology becomes more accessible, high-value targets may face extremely convincing impostors via Zoom or Teams — making even video verification an unreliable safeguard without additional protocols.

5. Business Coaching and Mentorship Scams

Beyond BEC, there is a second major category of scam specifically targeting entrepreneurs: fraudulent business education and coaching programs. Some scammers sell bogus business coaching programs, often using fake testimonials, videos, seminar presentations, and telemarketing calls. They falsely promise amazing results if you pay for their exclusive “proven” system to succeed in business. They may lure you in with low initial costs, only to ask for thousands of dollars later. In reality, the scammers leave budding entrepreneurs without the help they sought and with thousands of dollars of debt.

In 2026, these scams have been supercharged by AI. Criminals use AI-generated social media profiles with fabricated track records, AI-produced testimonial videos, and algorithmically targeted advertising to reach entrepreneurs at their most vulnerable moments — when they are struggling, when they are starting out, when they are looking for guidance and willing to pay for it. The FTC has reported a 30% rise in losses from these schemes.

6. AI Investment and Crypto Trading Bot Scams

Scammers promise high-return investment opportunities, often involving cryptocurrency, AI trading bots, or “exclusive” insider deals. Victims are shown fake dashboards with fake profits to encourage additional deposits. These scams specifically target entrepreneurs because the profile fits: entrepreneurial individuals are accustomed to taking calculated risks, are often looking to grow capital, and are familiar enough with technology to believe that an “AI trading algorithm” could plausibly deliver consistent returns.

The architecture of these scams follows a specific pattern: initial small deposits appear to generate strong returns on a convincing dashboard. The victim is encouraged to deposit more. They attempt to withdraw profits, which requires paying a “fee” or “tax.” Then the platform disappears. AI is being used to create a new level of deception, including “AI washing,” where perpetrators falsely claim their trading tools use AI to improve success. AI-generated trade charts and even realistic renderings of real estate developments are becoming increasingly prevalent in investment schemes.

7. Recovery Scams — The Fraud That Targets Fraud Victims

This may be the cruelest variant of all. After a business has been scammed, criminals posing as recovery services, law enforcement contacts, or fraud specialists approach the victim — often using details from the original scam to sound credible — and offer to recover the lost funds for an upfront fee. The entrepreneur, already financially and emotionally damaged, pays again. The recovery service disappears.

Fraudsters pose as recovery agencies or even authorities, claiming they can help get money back. They often use details from the original scam to sound convincing, then demand upfront fees before disappearing. Legitimate recovery services do not charge upfront fees. This rule is absolute: any organization claiming to recover scam losses for an advance payment is itself a scam.

The Numbers: How Much Are These Scams Actually Costing?

The financial scale of these attacks on entrepreneurs and small businesses is not theoretical. The data from law enforcement, cybersecurity researchers, and insurance companies paints a consistent picture of an existential threat to business finances.

  • Business Email Compromise has been reported in all 50 US states and 186 countries, with over 140 countries receiving fraudulent transfers.
  • Among cases investigated by Palo Alto Networks’ Unit 42 in 2023, BEC accounted for 34% of all incidents, with the average financial loss per successful wire fraud reaching $286,000.
  • According to the FBI, the average financial loss per BEC incident exceeds $90,000.
  • Since the popularization of generative AI tools, BEC has gone from being only 1% of all cyberattacks in 2022 to 18.6% of all attacks — a 1,760% year-over-year surge.
  • According to consumer fraud reports, $12.5 billion was lost to fraud in 2024 alone, with billions of those losses originating from scams that started online.
  • Studies show that 60% of small businesses that experience a cyberattack go out of business within six months. For BEC victims who lose $100,000 or more in a single incident, this statistic is not abstract — it is the operating reality.

For an entrepreneur running a business on tight margins, a single successful BEC attack is not a line item — it is a crisis. Wire transfers are generally irreversible. By the time the fraud is discovered, the funds have already been moved through multiple accounts across multiple countries, often converted into cryptocurrency and withdrawn. Banks can sometimes recover funds if the fraud is reported within hours — but the window is narrow and the recovery rate is low.

How Criminals Research You Before Striking

Understanding how BEC attackers prepare their strikes is essential, because it reveals the specific information you should protect and the behaviors you should change.

Before a targeted BEC attack, criminals typically:

Study your website and online presence. Your “About” page tells them your leadership structure. Your “Contact” page tells them who handles specific functions. Your press releases tell them about recent deals, clients, and vendors. Your job postings reveal your internal systems, software, and processes. Everything that helps customers understand your business also helps criminals exploit it.

Mine LinkedIn aggressively. LinkedIn is the single most valuable research tool for BEC attackers. It tells them exactly who handles finance, who reports to whom, when executives are traveling to conferences, what software your company uses, and which vendors you rely on. Threat actors conduct extensive research using LinkedIn, SEC disclosures, and even the target organization’s website to create convincing emails that are more likely to trick employees — and at increasing volumes.

Monitor your email traffic after initial compromise. Once a criminal has compromised or spoofed access to an email account, they do not immediately strike. They watch. Within two days of gaining access, inbox rules are typically created to silently forward new messages containing keywords like “invoice,” “transfer,” or “ACH.” This silent surveillance identifies the right moment, the right amount, and the right pretext before the fraudulent request is ever sent.

Map your vendor relationships. Vendor email compromise attacks specifically require knowing which suppliers you pay regularly, how often you interact, what amounts are typical, and what communication style those vendors use. This information comes from compromised email accounts, social engineering of vendor staff, and publicly available business information.

Red Flags: How to Recognize a BEC Attack in Real Time

The most valuable skill in BEC defense is recognizing the warning signs before the transfer is made. Train yourself and every member of your team to pause and investigate whenever any of the following appear:

  • Any request to change payment details, bank account numbers, or wire transfer destinations — this is the single most reliable indicator of vendor email compromise. Legitimate vendors rarely change bank details, and when they do, they confirm it through multiple channels, not just email.
  • Urgent financial requests combined with a request for confidentiality — “please process this before end of day and don’t mention it to anyone” is a behavioral signature of CEO fraud. Legitimate urgent business does not require secrecy from your own team.
  • An email address that looks almost right but contains a subtle difference — yourvendor.com becomes yourvendor.co, or john.smith@company.com becomes john.smtih@company.com. These minor variations are designed to pass casual inspection.
  • A request arriving when the purported sender is known to be unavailable — a CEO email arriving while the CEO is on a plane, a vendor email arriving outside their business hours, a manager request arriving during their known vacation period.
  • Pressure to bypass normal approval processes — “given the time sensitivity, please just handle this without the usual sign-off” dismantles the verification controls that would normally catch fraud.
  • Requests for payment via wire transfer, cryptocurrency, or gift cards — these are the payment methods preferred by criminals because they are effectively irreversible and difficult to trace. Scammers ask you to pay in specific ways. They often demand payment through wire transfers, cryptocurrency, or gift cards. If anyone demands payment this way, treat it as a scam until proven otherwise.
  • Any investment opportunity that shows consistent, unusually high returns — guaranteed or consistent above-market returns from any investment platform, AI trading bot, or cryptocurrency opportunity are the hallmark of fraud. Real investments carry real risk; real returns are variable.

The Defense Playbook: How Entrepreneurs Can Protect Themselves

The good news — and it is genuine — is that BEC and entrepreneur-targeted scams are almost entirely preventable with the right protocols. The attacks succeed because of process failures, not because businesses are technically outgunned. Fixing the process is what closes the door.

Implement a Verbal Verification Protocol for All Financial Requests

This is the single most effective BEC prevention measure available, and it costs nothing to implement. The rule is simple: any request to transfer money or change payment details must be verified by phone, using a number already on file — never a number provided in the suspicious email.

Call your CEO on their known mobile number to confirm the wire transfer request. Call your vendor’s main office number — the one you have used for years — to confirm the bank account change. If the request is legitimate, this call takes 30 seconds and causes no harm. If it is fraudulent, that 30-second call saves you everything.

This protocol must be a formal policy, written down, communicated to every employee who handles financial transactions, and protected from override. An employee who skips the verification call because they were pressured to act urgently must know that following the protocol is the correct behavior — and that slowing down a legitimate request is infinitely preferable to authorizing a fraudulent one.

Require Dual Authorization for Wire Transfers and Large Payments

No single person should have the authority to authorize a significant wire transfer unilaterally. Set a dollar threshold — appropriate to your business size — above which two authorized individuals must separately approve the payment, through separate communication channels. A criminal who has compromised one email account cannot simultaneously compromise the second verifier through a different channel without dramatically increasing their detection risk.

This dual-approval structure is standard practice among larger organizations and should be equally standard in small businesses where the risk per incident is proportionally higher relative to available capital.

Secure Your Email Infrastructure Against Spoofing

As described in the previous article in this series, implementing SPF, DKIM, and DMARC email authentication protocols for your domain prevents criminals from sending emails that appear to come from your domain to your customers, partners, and employees. These DNS-based protections are free to implement and take under an hour for an IT provider to configure.

Additionally: register similar domains that resemble your company’s name, including common misspellings or alternative domain endings like “.co” or “.net.” Purchasing these lookalike domains prevents criminals from using them to send spoofed communications that mimic your brand.

Enable Multi-Factor Authentication on All Email Accounts

Many BEC attacks begin with a compromised email account — an attacker who has obtained a password through phishing or a credential breach and now has legitimate access to monitor correspondence and send fraudulent emails. Multi-factor authentication prevents this initial compromise: even with the correct password, the attacker cannot log in without the second factor.

Enable MFA on every business email account without exception. This single measure blocks the email account compromise that enables many of the most convincing BEC variants — the ones where the fraud comes from a real, legitimate account rather than a spoofed one.

Train Every Employee Who Handles Money or Data

According to Verizon’s Data Breach Incident Report, 74% of all data breaches involve the human element. Training employees about the threats they could face at work is the single best cyberattack prevention tactic.

Training should specifically address BEC in all its variants — CEO fraud, fake invoices, payroll diversion, deepfake voice calls — with real examples of what these attacks look like. Employees should leave training with a clear, simple answer to the question: “What do I do when I receive an unusual financial request?” The answer should be: pause, verify by phone using a known number, escalate if uncertain, and never feel pressured to skip that step.

Simulated BEC tests — sending fake fraudulent requests to employees and measuring who complies — identify the specific individuals who need additional training and create a culture of vigilance rather than a one-time awareness moment.

Limit the Financial Information Available Online

Avoid posting financial or personnel details online that could help scammers impersonate your organization. Audit your website, your LinkedIn company page, and your social media for information that could assist a criminal in crafting a targeted BEC attack: names of finance staff, details of vendor relationships, descriptions of your payment processes, or any information that reveals your organizational hierarchy in detail.

This does not mean removing all information — your business needs to be findable and credible online. It means being deliberate about what operational details are truly necessary to publish, and recognizing that some information that seems innocuous in isolation becomes valuable intelligence when combined with other publicly available data.

Establish a Recovery Protocol Before You Need One

If a BEC attack succeeds, speed of response is the critical variable in fund recovery. If you discover a fraudulent transfer, time is of the essence. Immediately contact your financial institution and request a recall of the funds along with any necessary indemnification documents. Banks have recovery processes for fraudulent wire transfers, but they are only effective if activated within hours of the transfer — once funds have been moved multiple times or converted to cryptocurrency, recovery becomes nearly impossible.

Your protocol should include: the direct phone number for your bank’s fraud department (not the main customer service line), the contact information for the FBI’s IC3 (ic3.gov) to file a complaint, your cyber insurance provider’s claims contact, and legal counsel experienced in wire fraud cases. Having these contacts pre-established means you can act in minutes rather than hours when a fraud is discovered.

How to Vet Business Opportunities and Avoid Entrepreneur-Specific Scams

Beyond BEC, entrepreneurs face a separate category of scams specifically designed to exploit the entrepreneurial mindset: the willingness to invest in growth, the openness to new opportunities, and the genuine desire to find better tools, mentors, and business solutions.

Apply these filters to any business opportunity, coaching program, investment platform, or service provider before committing money:

  • Verify independently, not through the channels they provide. Any testimonials, case studies, or references provided by the seller should be verified through independent searches — not just the links and contacts they give you, which can be fabricated or controlled.
  • Guaranteed returns are impossible in any legitimate investment. Any platform, algorithm, or advisor that promises consistent, guaranteed returns — in cryptocurrency, AI trading, real estate, or any other asset class — is misrepresenting reality. Legitimate investments carry risk; the absence of disclosed risk is the disclosure of fraud.
  • Urgency is a manipulation tactic, not a business reality. Creating a sense of urgency is the primary tradecraft of financial fraudsters. There is nothing so important that it cannot wait a day or at least a few hours. Any opportunity that closes tomorrow if you don’t act today is using that deadline to prevent the verification that would expose it.
  • Legitimate services do not require payment via wire transfer, cryptocurrency, or gift cards. These payment methods are preferred by scammers because they are irreversible. Credit card payments offer chargeback protection; the refusal to accept card payments is itself a warning sign.
  • Check regulatory registrations for financial services. Anyone offering investment advice, fund management, or financial products should be registered with the relevant regulatory authority — the SEC, FINRA, the FCA (UK), or the appropriate body in your jurisdiction. Unregistered investment advisors operating outside regulatory frameworks are a significant fraud risk. Verify registration through the regulator’s official website, not through documentation the provider supplies.
  • Search the business name plus the words “scam,” “fraud,” and “complaint” before engaging. Fraudulent operations often have victims who have already reported their experiences online. A basic search frequently surfaces warning signs that a surface evaluation of the company’s own materials would never reveal.

What to Do If You Have Already Been Scammed

If you have been the victim of a BEC attack or any other business scam, the instinct is often to keep it quiet — out of embarrassment, fear of reputational damage, or the hope that funds can be quietly recovered. This instinct is understandable and almost always wrong. Here is what to do:

Act immediately. Contact your bank’s fraud department within minutes of discovering a fraudulent transfer. The faster a recall request is made, the higher the probability of recovery. Every hour of delay reduces your chances significantly.

Report to the FBI’s IC3. File a complaint at ic3.gov. This is not merely bureaucratic — IC3 data is used to coordinate multi-agency recovery operations, and your report may be linked to an ongoing investigation that enables recovery action.

Contact law enforcement. File a report with your local police department and, for significant amounts, your country’s relevant cybercrime unit. Police reports are required for insurance claims and support any civil legal action you may pursue.

Notify your cyber insurance provider. If you have cyber insurance, notify them immediately — most policies have reporting time requirements, and delayed notification can affect your claim.

Do not contact “recovery services” that approach you proactively. As noted above, unsolicited offers to recover scam losses are themselves scams. If you want professional assistance, engage a law firm experienced in wire fraud cases through a verified referral from your bank or insurance provider.

Disclose appropriately. If the scam involved customer data or funds, legal disclosure obligations may apply. Consult legal counsel to understand what notifications are required and ensure they are made within the applicable time windows.

Final Thoughts: The Scam That Assumes You Are Busy, Trusting, and Unprepared

The online scam that is costing entrepreneurs thousands works because it makes a set of accurate assumptions about how small businesses operate: decisions are made quickly, trust is extended readily to known relationships, verification processes are informal or nonexistent, and the people handling financial transactions are busy, often multitasking, and not specifically trained to recognize social engineering at the level of sophistication that modern attackers deploy.

Every one of those assumptions can be invalidated. Not through expensive technology — through policy, training, and a cultural commitment to slowing down before money moves.

The phone call that verifies a wire transfer request takes 30 seconds. The training session that teaches your finance assistant to recognize a spoofed email domain takes an hour. The dual-authorization policy that prevents any single person from unilaterally transferring significant funds takes an afternoon to draft and communicate. None of these measures requires a large investment. All of them require a decision that your business is not going to be the next victim.

Make that decision now — before the email arrives. Because when it does arrive, it will look completely legitimate. It always does.

⚠️ Disclaimer: This article is for informational and educational purposes only. Cybersecurity threats, scam tactics, and fraud statistics evolve rapidly. Figures and statistics cited are attributed to their respective sources including the FBI IC3, Verizon DBIR, IBM Security, Palo Alto Networks Unit 42, and other publicly available research. Every business’s risk profile is different — consult a qualified cybersecurity professional to assess your specific vulnerabilities. If you believe you have been the victim of a scam, report it immediately to your bank and to the FBI’s Internet Crime Complaint Center at ic3.gov.

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top