Skip to content

8 Business Email Compromise (BEC) Script Examples to Know

BEC Script Examples

Key Highlights

  • Real Examples, Real Risks: Explore eight real Business Email Compromise (BEC) script examples that show exactly how cybercriminals trick employees into acting fast.
  • Local Insight: See how these scams are impacting Cleveland–Akron–Canton businesses — and what makes local organizations especially vulnerable.
  • Human-Centric Defense: Understand why technology alone isn’t enough — and how your employees can become your strongest line of defense.
  • Red Flags to Watch For: Learn the subtle signs that separate a legitimate message from a scam — from urgent tone to suspicious requests.
  • Practical Prevention Steps: Get quick verification checklists and real-world tips you can share with your team today.
  • Actionable Training Advice: Discover how ongoing security awareness training helps build a “human firewall” that stops attacks before they start.

8 BEC Script Examples to Know

One of the biggest cybersecurity threats facing Northeast Ohio businesses isn’t a high-tech hack– it’s a simple email sitting quietly in your inbox.

Business Email Compromise (BEC) is a social engineering scam where cybercriminals impersonate someone your team trusts — a vendor, coworker, or executive. They might hijack a legitimate email account or create one that looks almost identical. From there, they send convincing messages designed to trick employees into wiring funds, sharing credentials, or revealing sensitive information.

These attacks are more common than most people realize. According to the FBI’s 2024 Internet Crime Report, BEC was the second-costliest type of cybercrime last year, leading to nearly $2.8 billion in reported losses — and that’s only what was officially tracked.

8 Business Email Compromise (BEC) Script Examples

What’s the best defense against Business Email Compromise? Recognizing it before it happens.

Cybercriminals have become masters of persuasion. Their emails often look legitimate — especially when your team is moving fast and juggling priorities. But when employees know what red flags to look for, they can stop these attacks before they ever cause damage.

The examples below show how Business Email Compromise (BEC) schemes typically play out in real workplaces. We recommend sharing these with your finance, HR, and leadership teams — anyone who might handle payments, vendor communications, or sensitive data.

A quick pause to double-check an email or confirm a request could save your organization thousands of dollars– or more.

Click here to learn more about our Cybersecurity Solutions.

1. The “CEO Needs a Favor” Scam

Why it works: people want to be helpful, especially when a request looks like it’s coming from the CEO. Cyber criminals exploit that trust by spoofing an executive’s email (or using an address that looks nearly identical) and pairing the request with pressure and secrecy so nobody stops to verify.

Email example:

Hi [Employee Name],


I’m tied up in meetings for a sensitive acquisition. I need you to process an urgent wire transfer of $45,000 to this new vendor account by EOD. Please keep this confidential until the deal is announced. Let me know once it’s done.


Sent from my iPhone.

Red flags to watch for:

  • Unusual channel for financial requests (email instead of the normal procurement process).
  • Message appears to be from an executive but the email address is slightly off (extra letter, different domain).
  • Strong sense of urgency (“by EOD”), especially paired with “confidential” or “don’t tell anyone.”
  • Request asks for immediate money movement or sensitive account info.

Quick verification checklist

  • Hover over the sender’s email to check the full address– don’t just read the display name.
  • Call the executive or their assistant on a known phone number (not the number in the email). If they’re truly tied up, confirm with a quick voice message or text to a verified number.
  • If it’s a payment request, confirm with Finance using your team’s payment authorization policy (e.g., required verbal approval for transfers above $X). If no policy exists, pause and ask for written proof through the normal vendor onboarding/payment workflow.

2. The “We Changed Banks” Scam

This one’s especially sneaky because it doesn’t ask for money right away– it just sets the trap.

In this version of a Business Email Compromise (BEC) attack, a scammer pretends to be one of your trusted vendors and sends a routine update: “We’ve changed banks. Here are our new payment details.”

Related: 10 Questions To Ask When Evaluating Your Vendor’s Cybersecurity Stance

At first glance, everything seems legitimate. Your finance team updates the vendor profile in your system– no red flags yet. But the next time an invoice comes through, the payment goes straight to the scammer’s account instead of your actual vendor.

The worst part? You might not realize what happened until weeks later, when your real vendor reaches out asking why their payment is late.

Email example:

Hi Accounts Payable Team,

This is a notification that [Vendor Name] has updated its banking information for all future invoice payments. Please replace our old account details with the new information in the attached form.

Let us know if you have any questions.

Red flags to watch for:

  • A request to update financial information by email, especially from an unfamiliar sender domain.
  • Attachments or forms requesting you to “update bank details.”
  • Vendor email that looks slightly off (extra letters, missing dot, or domain change).
  • The email feels routine– but slightly rushed or impersonal.

Quick verification checklist

  • Call your known vendor contact directly to confirm the change (never use the phone number in the email).
  • Require dual approval for any banking updates — especially for wire or ACH accounts.
  • Keep a vendor-change log and review it monthly to ensure all changes were verified.

3. The “Urgent Legal Matter” Scam

This one preys on fear and formality. Most employees don’t want to get on the wrong side of a legal issue– and cybercriminals know it.

In this scam, the cyber criminal uses attorney impersonation, stating they’re managing a “confidential” matter for your company. The tone is professional, the language sounds official, and the pressure is immediate.

Typically, they target employees who don’t usually work with your company’s legal team. That makes it easier to slip past suspicion and harder for the employee to confirm whether the request is legitimate. The email often warns against discussing the matter with anyone else, discouraging verification and creating a false sense of urgency.

Email example:

Subject: URGENT & CONFIDENTIAL: Time-Sensitive Legal Matter

[Employee Name],

I’m representing your company in a confidential merger. We need an immediate wire of $85,000 as part of a down payment.

Due to disclosure restrictions, this cannot be discussed with anyone — including your manager. Please process the transfer to the attached account and confirm via email only.

Red flags to watch for:

  • The email demands confidentiality and discourages verification.
  • The message is highly formal, using legal language or references to “mergers,” “settlements,” or “regulatory matters.”
  • The sender’s email domain looks unfamiliar or uses free mail services (like Gmail or Outlook).
  • Requests for large payments with “can’t tell anyone” instructions.

Quick verification checklist

  • Always confirm unexpected legal or financial requests by phone using known, verified contacts.
  • If an email insists on secrecy, treat that as a major red flag.
  • Encourage your team to loop in management immediately if something feels off– no question is ever “too small” to double-check.

4. The W-2 Data Request Scam

Not every Business Email Compromise (BEC) scam is about wiring money. Some go after something even more valuable– your employees’ personal information.

This scam tends to surface around tax season, when W-2 requests feel routine. The attacker impersonates a senior executive and emails HR asking for a full list of employee W-2s, complete with names, addresses, and Social Security numbers. The email might claim it’s for an audit, a leadership review, or tax preparation.

Because the request looks like it’s coming from someone high up– and because HR teams handle sensitive data every day– it can feel natural to respond quickly without thinking twice. But once that information is sent, the attacker can use it for identity theft, fraudulent tax filings, or sell it on the dark web for future attacks.

The fallout goes beyond your organization– it directly affects every employee whose data was exposed.

Email example:

Hi [HR Employee Name],

I need a PDF copy of all employee W-2s for 2024 for a quick review with the board.

Can you please send them to me by the end of the day? I have an early meeting tomorrow and need to prepare tonight.

Thanks,

[Executive Name]

Red flags to watch for:

  • The email appears to come from leadership, but the sender’s domain is slightly off.
  • The tone sounds casual but urgent — a mix that’s often deliberate.
  • The request asks for a bulk download of sensitive information like W-2s, Social Security numbers, or payroll records.
  • Timing lines up with tax season or end-of-year reporting deadlines.

Quick verification checklist

  • Confirm all sensitive data requests verbally with the person asking — especially if it involves payroll or tax records.
  • Require a second approval for any request involving employee personal data.
  • Store and transmit W-2s only through secure, approved systems — never as email attachments.

5. The “Stranded Executive” Scam

This scam tugs at the heartstrings– and that’s what makes it so effective. The attacker pretends your CEO or another executive is in distress while traveling: they’ve lost their wallet, had a medical emergency, or are stuck without access to funds. The message feels urgent, emotional, and personal– designed to make someone act fast out of concern.

It’s not just about money; it’s about emotion. Cyber criminals know that when employees think a trusted leader is in trouble, their first instinct is to help. Some attackers even follow up with a phone call, using a stressed or panicked tone to increase the pressure and push for an immediate transfer.

Email example:

Subject: Urgent Help Needed!

[Employee Name],

I’m in a terrible situation. I’m at a conference in London and my wallet was stolen with all my cards inside. I need you to wire $5,000 to a contact here so I can cover my hotel and get a temporary passport.

Please handle this right away — I’ll reimburse you as soon as I’m back. I’m counting on you.

Red flags to watch for:

  • The message plays heavily on emotion– panic, distress, or guilt.
  • The “executive” asks for personal help rather than going through normal company channels.
  • The email or phone number doesn’t match the executive’s usual contact information.
  • The request bypasses your company’s normal payment or approval process.

Quick verification checklist

  • Pause before reacting. Scammers count on emotional urgency to bypass logic.
  • Confirm through an alternate channel– call or text the executive using their known number, or reach out to their assistant.
  • Follow your payment verification process. Never send funds based solely on an email or call without secondary confirmation.

6. The “No Time for Questions” Scam

This scam relies on pressure and authority– two things that can make even confident employees hesitate. The attacker impersonates a senior executive and sends a commanding email that leaves no room for questions. The tone is clipped, urgent, and absolute: “I need you to process this wire transfer immediately.”

It’s effective because it triggers a natural response: when someone in leadership gives a direct order, most people want to act quickly and do their job well. The scammer often adds a believable reason why normal approval steps can’t happen– they’re boarding a flight, in a meeting, or dealing with a “confidential” situation. The result? The employee feels like verifying the request would be overstepping.

Email example:

[Employee Name],

I’ve approved a wire transfer of $120,000 to our new logistics partner. The details are attached.

I’m about to board a flight and will be unreachable, so this needs to be completed within the next hour without fail. Please confirm once it’s done.

Red flags to watch for:

  • The email uses commanding, authoritative language.
  • Mentions of urgency paired with inaccessibility (“boarding a flight,” “in meetings”).
  • The sender discourages any back-and-forth or questions.
  • The message bypasses normal checks and balances for financial approval.

Quick verification checklist

  • Pause and breathe. Scammers rely on emotional urgency– take a moment to assess.
  • Verify through another channel. Call or message the executive using their verified contact info.
  • Follow internal policy. Any wire transfer — especially over preset thresholds — should require multi-person approval, no matter who requests it.

7. The “You’re My Go-To Person” Scam

Why it works: flattery lowers defenses. When someone in leadership singles you out as “reliable” or “discreet,” it feels good– and that feeling can shortcut normal caution. Scammers use praise to create a sense of personal trust, then follow it with a request that bypasses normal controls.

Email example:

[Employee Name],

You’re one of the most reliable people on our team and I need someone discreet for a special task. I want to surprise the department with gift cards to thank everyone for their hard work this quarter. Could you purchase 20 gift cards at $250 each and send me the codes? Let’s keep this between us for now.

Red flags to watch for:

  • The message opens with personal praise or flattery from an executive who doesn’t normally communicate that way.
  • The request asks you to act outside of normal purchasing or approval processes (buying gift cards, sending codes, etc.).
  • Urgency plus secrecy: “keep this between us” or “don’t tell anyone.”
  • The request asks for prepaid payment methods (gift cards, crypto, wire to personal accounts) instead of standard vendor processes.

Quick verification checklist

  • Pause and note the emotional trigger– recognition can make you want to move quickly.
  • Verify the request through an alternate channel (call the executive or their assistant on a known number).
  • Use your company’s purchasing policy: large or unusual purchases should go through Finance/Procurement and require documented approvals.
  • If asked to send gift card codes, escalate to your manager or Finance immediately instead of forwarding them.

8. The “Keep This Confidential” Scam

If an email ever asks you to keep a financial request secret, that’s your biggest red flag.

Scammers know that the moment you talk to someone else — a colleague, your manager, or the real executive — the scheme collapses. That’s why they build secrecy into the message itself. The goal is to isolate you and stop you from following your normal approval process.

To make the secrecy sound legitimate, they’ll add a believable backstory– maybe it’s a surprise acquisition, a confidential legal matter, or employee bonuses that haven’t been announced yet. The story gives you a reason to stay quiet, but that’s exactly how they win.

Here’s the truth: legitimate business doesn’t operate in the dark. Real financial procedures rely on transparency and checks to protect everyone involved.

Email example:

[Employee Name],

I’m working on a confidential project and need your help. This is highly sensitive and cannot be discussed with anyone in the finance department.

Please process an invoice for a consultant — the details are attached. Handle this personally and confirm once the funds are sent.

Red flags to watch for:

  • The sender insists on secrecy and discourages communication with others.
  • The message frames the request as a “confidential project,” “private deal,” or “sensitive matter.”
  • It bypasses normal payment channels or financial review steps.
  • The tone is authoritative yet isolating– it makes you feel trusted and pressured.

Quick verification checklist

  • If someone says “don’t tell anyone,” that’s a signal to tell someone immediately.
  • Confirm with leadership or finance before processing any confidential financial request.
  • Review your organization’s payment approval workflow– if it’s being skipped, stop and verify.

Human-Centric Security: Empowering Your Strongest Defense

While technology like email filters, authentication tools, and advanced detection systems plays an important role in protecting your inbox, no software can catch every threat. Business Email Compromise (BEC) attacks are designed to slip past those safeguards by targeting something technology can’t replicate– human trust.

That’s why a human-centric approach to security is essential. Your employees aren’t the weakest link– they’re your first line of defense when they’re empowered with the right knowledge and confidence to question suspicious activity.

Building this “human firewall” takes more than a once-a-year training video. It requires ongoing education, real-world phishing simulations, and clear, simple procedures for reporting anything that doesn’t feel right. By fostering a culture of curiosity and awareness, you help your team understand that verifying a request isn’t an inconvenience– it’s a professional safeguard that protects your entire organization.

When employees feel trusted, informed, and supported, they don’t just avoid mistakes– they actively strengthen your cybersecurity posture every single day.

Related: Cybersecurity Awareness Checkpoint: Are Your Employees Reporting?

Strengthen Your Human Firewall with AtNetPlus

At AtNetPlus, we believe cybersecurity isn’t just about technology– it’s about people. From the front desk to the finance department, every employee plays a role in keeping your organization secure. Our team helps Northeast Ohio businesses build that human firewall through ongoing security awareness training, simulated phishing exercises, and practical tools that make safe decisions second nature.

Because when your employees understand what to look for — and feel confident speaking up — you’re not just defending your data; you’re protecting your people, your reputation, and the trust you’ve built with your community.

Ready to take the next step? Let’s strengthen your first line of defense together.

Frequently Asked Questions

What is Business Email Compromise (BEC), and how does it work?

Business Email Compromise is a targeted scam where cybercriminals impersonate someone your team trusts a vendor, coworker, or executive– through email. Using social engineering tactics, they trick employees into sending payments or sharing sensitive information. Attackers often spoof (or hack into) real accounts to make their messages look legitimate and convincing.

What warning signs should I look for in a suspicious email?

Watch for social engineering techniques like:

  • Unexpected payment or banking requests.
  • Pressure to act immediately or “keep it confidential.”
  • Slightly altered email addresses (like an extra letter or missing dot).
  • Requests that bypass normal approval or verification steps.

When in doubt, pause and verify before taking action– even a quick call can prevent a costly mistake.

What’s the first thing I should do if I suspect a BEC attempt?

Stop and don’t interact with the message. Don’t reply, click links, or open attachments.

Instead:

  • If you accidentally sent information or funds, contact your IT department right away– time matters.
  • Verify the request using a known, trusted contact method (like a saved phone number or company directory).
  • Report the suspicious email to your IT or finance team immediately.

How can Northeast Ohio businesses prevent BEC attacks?

The best defense is awareness and process. Local businesses can:

  • Build a supportive culture where employees feel comfortable slowing down and asking questions before acting.
  • Provide regular security awareness training for employees.
  • Enforce multifactor authentication for financial or vendor changes.
  • Use email filtering and authentication tools (like SPF, DKIM, and DMARC).
  • Build a supportive culture where employees feel comfortable slowing down and asking questions before acting.

How do BEC emails differ from standard phishing attacks?

Standard phishing emails are sent in bulk and often include malware or fake login links.

BEC emails, on the other hand, are personalized and deliberate– they usually don’t contain links at all. Instead, attackers rely on psychological manipulation to convince one trusted person to take one costly action.

Why are finance and HR teams frequent targets?

  • Finance teams are targeted because they handle money, invoices, and vendor payments.
  • HR teams are targeted because they manage valuable personal data — from Social Security numbers to payroll records — that can be sold or used for identity theft.

Because these roles handle sensitive or high-value information, they’re often first in line for social engineering attacks. Ongoing awareness training can make a huge difference in catching these red flags early.