Business Email Compromise Without Malware

There is a comforting idea, still built into most security thinking, that an email attack has to carry something. A malicious link. An infected attachment. A hidden script. Find the payload, block the payload, and you have blocked the attack. It is a tidy model, and it is why so much money still leaves organisations through email. The most expensive email attacks carry no payload at all. The weapon is the request, written in plain words, and there is nothing for a scanner to find.
Business email compromise is the name for this. It is not a virus and not a phishing page. It is an email, often short and polite, that persuades a person with legitimate access to move money or hand over data. No malware is involved because none is needed. The whole attack is a sentence a human is willing to act on.
The most costly attack is also the emptiest
The scale is not a rounding error. The FBI's Internet Crime Complaint Center recorded 2.77 billion dollars in reported business email compromise losses in 2024 alone, across 21,442 complaints, making it the second costliest category of cybercrime that year by dollars lost. Looking wider, the Bureau has put the global exposed losses from this scam at more than 55 billion dollars across a decade of reporting. These are not losses from exotic malware. They are wire transfers and changed bank details, authorised by employees who believed they were doing their job.
What should unsettle a security team is that almost none of this is stopped by the controls built to catch payloads. There was no attachment to detonate, no link to detonate it, no signature to match. The email that cost the money looked exactly like a normal email, because in every technical sense it was one.
Why there is nothing to scan
A traditional email defence is, at heart, a payload inspector. It follows links to see where they lead, opens attachments in a sandbox, checks files against known malware, and matches messages to signatures of past attacks. Against an email carrying something dangerous, this works. Against business email compromise, it has nothing to inspect.
Consider what a typical BEC message actually contains. The sender looks legitimate, either a genuine account that has been compromised or a lookalike domain that a busy eye will not question. The subject is routine: an updated invoice, a change of payment details, a quick favour. The body is a few plain sentences. There is no attachment and no link. Run that through a payload inspector and every check comes back clean, because every check is looking for something that is not there. The gateway is not failing. It is answering the wrong question. It asks whether the email carries a weapon, when the weapon is the instruction the email is carrying out.

The plays are all variations on one move
Business email compromise takes a handful of recognisable shapes, but every one of them is the same underlying trick: borrow authority or trust, then ask a person to do something with money or data.
In executive fraud, the message appears to come from a chief executive or senior leader, and it leans on hierarchy and haste: buy these gift cards for a client, approve this transfer before the deadline, keep it quiet because it is sensitive. In vendor or supplier fraud, the most lucrative variant, the attacker poses as a genuine supplier and sends updated bank details for an invoice that was already expected, so the next legitimate payment lands in the wrong account. In payroll diversion, an email that appears to come from an employee asks HR to update their bank details before payday. In legal or acquisition impersonation, an attacker invokes a confidential deal and a trusted adviser to justify an unusual, urgent payment.
The surface differs, but the mechanism does not. Each one substitutes a convincing identity and a plausible context for any technical exploit. There is nothing to detonate, only someone to persuade.
The email that empties an account is not the one carrying a virus. It is the one carrying a sentence, from someone you trust, asking you to do something you are allowed to do.
Why fluent AI made this worse
If the whole attack is words, then anything that makes the words more convincing makes the attack more dangerous. That is exactly what has happened, and it is the same shift we describe in why AI reached the scammers first. An attacker can now research a target quickly, match the house style of a specific finance team, reference a real supplier and a real invoice cycle, and write a request that reads precisely like the legitimate ones. The payload-free attack was always the hardest to catch on appearance. Fluent generation has made its appearance flawless.
It also blends with the techniques covered in why the most convincing phishing email is now completely boring. A hijacked email thread is the perfect delivery vehicle for a payload-free request, because the trust is already established and the request arrives inside a conversation the victim was part of. Boring and empty are a natural pair: an ordinary-looking message with nothing to scan.
What actually stops a payload-free attack
If there is no payload to inspect, detection has to move to the only things left: who is really sending this, and does the request make sense. Neither can be faked by writing well.
Identity comes first, and it goes deeper than the display name. Is the sending domain authenticated, and does it truly belong to the party it claims to be, or is it a lookalike registered recently. In a compromised-account case, the domain is genuine, so the tell is behavioural: an account suddenly emailing people it never has, or asking for something it never asks for. Relationship history matters next. Has this sender ever corresponded with this recipient, has this supplier ever changed bank details this way before, is this the normal channel for this kind of request. And intent matters most of all, because the defining feature of BEC is the ask. A message that seeks to move money, redirect a payment, change bank or payroll details, or extract sensitive data carries risk that is independent of how politely it is phrased. A system that reads that intent, and weighs it against what is normal for this specific sender and recipient, is judging the thing that actually makes the email dangerous.
This is the level Osiris is built to work at. Instead of asking whether an email carries a payload, it investigates the request behind it: whether the sender is really who they appear to be, whether this conversation has ever behaved this way, whether the action being requested fits the relationship, and it explains what it found rather than returning a silent verdict. An empty email survives a payload check precisely because it is empty. It does not survive a question about whether the request itself makes sense.
What to do about it
Two shifts follow. The first is procedural and belongs to the business, not the security tool: any change to payment or payroll details, and any unexpected request to move money, should be verified through a second channel every time, using a known contact rather than the details in the email. This single habit defeats most vendor and payroll fraud, because it breaks the attacker's one advantage, which is that the request looks like it came from the right person.
The second is technical. Stop relying on payload inspection as the test for whether an email is safe, because the costliest attacks carry no payload. The layer that catches business email compromise has to read identity, relationship and intent, and be able to explain why a message that looks perfectly ordinary is in fact a request that does not add up.
Frequently asked questions
Can an email be dangerous with no link or attachment? Yes, and these are among the most costly attacks there are. Business email compromise uses plain text to persuade someone with legitimate access to move money or share data. There is no malicious payload because none is needed. The instruction is the attack.
Why do email filters miss business email compromise? Most email defences are built to inspect payloads: they follow links, sandbox attachments and match malware signatures. A BEC email has none of those, so every technical check comes back clean. The filter is not broken, it is looking for a weapon that is not there while the weapon, the request, goes unexamined.
What are the main types of BEC? The common variants are executive fraud (a fake message from a senior leader requesting gift cards or an urgent transfer), vendor or supplier fraud (fake updated bank details for a real invoice), payroll diversion (a fake employee request to change bank details), and legal or acquisition impersonation (an urgent, confidential payment tied to a supposed deal). All of them borrow trust and ask a human to act.
How much does business email compromise cost? The FBI's IC3 reported 2.77 billion dollars in BEC losses in 2024 in complaints it received, and has estimated global exposed losses of more than 55 billion dollars over a decade. It is consistently among the costliest categories of cybercrime by money lost.
How do you actually detect a payload-free BEC email? By moving away from payload inspection and toward context: whether the sender is genuinely who they claim to be, whether the account is behaving normally, whether this relationship has ever involved this kind of request, and whether the intent of the message, to move money or change details, makes sense here. Those signals, weighed together, reveal an attack that has nothing for a scanner to find.
Key takeaways
The most expensive email attacks carry no malware, no link and no attachment. Business email compromise is a plain-text request that persuades an authorised person to move money or data, and the FBI records it among the costliest cybercrime categories year after year. Payload-inspecting defences miss it because there is no payload to inspect. Every variant, executive fraud, vendor fraud, payroll diversion, legal impersonation, works by borrowing a trusted identity and asking for a normal-looking action. Fluent AI and hijacked threads make the request harder than ever to doubt. The only reliable defence is to verify money and detail changes through a second channel, and to detect on identity, relationship and intent rather than on a payload that is not there.
See how Osiris reads the request, not the payload
Osiris investigates the intent behind every email, sender identity, relationship history and the action being requested, so a message with nothing to scan is still judged on whether it makes sense. See how Osiris approaches inbound email, or talk to us about your environment.
Sources
- FBI Internet Crime Complaint Center, 2024 Internet Crime Report (BEC losses of 2.77 billion dollars across 21,442 complaints in 2024): https://www.ic3.gov/AnnualReport/Reports/2024_IC3Report.pdf
- FBI IC3 Public Service Announcement, Business Email Compromise: The 55 Billion Dollar Scam (September 2024): https://www.ic3.gov/PSA/2024/PSA240911
- Cloudflare, what is business email compromise (payload-free, social-engineering nature of BEC): https://www.cloudflare.com/learning/email-security/business-email-compromise-bec/