If your users receive an email they think is from their manager, chances are they’ll open it. And they’ll probably do what the email asks them to, especially if it’s part of their regular job. The same goes for emails that appear to be from business partners, vendors and customers.

But unfortunately, a growing number of requests like these are fraudulent. They’re not from the person they appear to be. Instead, they’re from an impostor using a lookalike email address—or in some cases, the impersonated sender’s own email account. These email-based financial scams are part of an increasingly common cyber attack known as business email compromise (BEC) and its close relative, email account compromise (EAC).

This guide explains how BEC and EAC attacks work, why they’re so effective and concrete steps you can take to keep your users safe.