Business Email Compromise (BEC)

What is Business Email Compromise (BEC)?

Business Email Compromise is a type of cybercrime where the scammer uses email to trick employees or customers into releasing confidential company information or sending money. The fraudster will create an account with an email address almost identical to one on the company network. They will pose as a trusted figure such as a company executive, important customer or long-time vendor using this fake email account, then ask for a fake bill to be paid or for sensitive company data. BEC is one of the most financially damaging online crimes and exploits the fact that so many of us rely on email to conduct business.

In a BEC scam, the hacker will send an email message that appears to come from a trusted source making a legitimate request.

For example:

  • A new homebuyer will receive an email from their mortgage company with updated wire instructions of where to send their down payment.
  • A vendor you have been working with for years sends you an email with a new mailing address to send checks.
  • Another trusted vendor may give you updated wire instructions or ACH payment instructions to send payments.
  • A company CFO may request an employee initiate a wire transfer for something urgent.
  • CEO of a business may ask their assistant to purchase gift cards for an event and to email them back with the serial numbers and pins for tracking purposes.
  • The CEO may ask one of their Senior Managers to process a wire transfer for them because they are out of the office and need it to get done ASAP.

How Do Criminals Conduct BEC Scams?

Spoof email accounts and websites – A slight variation of a legitimate email address or company website address can fool the receiver into thinking the fake account is real.

 For example:

  • Real email address: vs. Fake email address: OR
  • Real email address: vs. Fake email address: OR
  • Real website: vs. Fake website:

Malware – Software that is installed on a computer without the user’s consent and performs malicious actions such as stealing personal information. Malware can infect your computer through files/software you download from websites that are not reputable, clicking on a link in a phishing email, and email attachments such as pictures and documents.

Spear-phishing – Phishing method that targets specific people or groups within an organization.

  • A typical attack is done with an email and an attachment, with the goal of having an individual open both the email and attachment.
  • Spear phishing attackers do research before an attack to learn more about the individuals and company they are about to target. They use social media, out of office notifications from a company to learn how they format email addresses, as well as any other publicly available information.
  • These attackers want to gain access to an individual’s account or impersonate a specific person in the company. The end goal of a spear-phishing attack is to get someone to divulge personal information or to perform a task that could cause a monetary loss or network compromise.

According to the FBI, There Are Five Main Types of BEC Scams

  1. Account Compromise – An employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts or from prior emails. Payments are then sent to fraudulent bank accounts
  2. Attorney Impersonation - The hacker will pose as a lawyer or legal team member and pressure or manipulate the employee into sending data or requesting a wire transfer. These types of attacks often occur through email or phone, are marked as urgent and happen during the end of the business day where the victims are low level employees without the knowledge or authority to question the validity of the communication or request.
  3. CEO Fraud – The attacker will pose as the CEO or another C-Level Executive. They usually target someone in the finance area, claiming the request is urgent and sensitive in nature. The employee is then tricked into send money to an account controlled by the fraudster.
  4. False Invoice – The fraudster will pose as a vendor and request payment from an employee for a service. The vendor is known to the company so an invoice from them is not out of the norm. The invoice may be edited to look exactly like one the company has received in the past, but the attacker as altered the account details so the money will be sent to the account of the fraudster, not the actual vendor.
  5. Data Theft – In this attack, the hackers are going after sensitive data. They may target your HR department or finance department to obtain personal information about your employees or customers. They then sell that information on the dark web or keep it handy for future attacks.

How Does a BEC Scam Work?

  1. Identity Research – The hacker will do thorough research of their target and determine what identity they want to assume.
  2. Employee Research – Once the hacker finds the identity they want to assume, they need to learn more about their target. They may use the company website for contact information and see how email addresses are formatted. Another major find for these hackers is social media and using sites like Facebook and LinkedIn to research names, titles, responsibilities.
  3. Attack Prep – Now the attacker needs to prepare for their upcoming attack. This could include creating fake email accounts, posting a fake company website, setting up fraudulent bank accounts and creating fake invoices.
  4. Launch Attack – The attacker will use their fake identity to manipulate or pressure a target to take a desired action. They will often create a false sense of urgency and pressure to make sure the target does not have time to discuss the situation with another employee or fully think about the scenario. If the attack is successful, the hacker will end up with the transfer of money or sensitive personal/company data.

Common Targets of a BEC Scam

  • C-Suite Executives – They tend to have a more public profile which makes it easy for a hacker to perform research. These individuals also have a lot of power and information. When they ask someone to perform a task, most employees will not question the validity or ask questions.
  • Finance Team Members – These team members usually manage everything from vendor payments, wire transfers, to payroll, plus they have access to a lot of sensitive information. A hacker can potentially scam someone in finance to pay a false invoice, request an update to a vendor’s payment details and even divert payroll to a fake account.
  • HR Team - Human Resources has information that a hacker would love to get at such as employee social security numbers, pay stubs, bank account details, personal contact information and other sensitive data. A hacker would use this data to sell on the dark web, which can then be used in future scams and thefts.
  • New or Entry Level Employees – Hackers will go after newly hired employees because they are often unfamiliar with the company’s policies and procedures. They may also not know who to ask to verify certain requests or feel uncomfortable questioning someone in a role above them.

How Do You Protect Your Employees and Business?

  • A company’s first line of defense against a BEC attack is its employees. It is essential a business creates a cybersecurity training program and include social engineering techniques. Some items to include in training:
    • What constitutes an unusual or inappropriate request from an executive at your company?
    • What are the proper policies and procedures for financial requests made at your company and who is approved to conduct such activity.
    • Effective use of dual control.
    • What are the proper processes for managing vendor invoices?
    • What is the protocol for managing urgent requests?
    • Examples of how a hacker may use fear, intimidation, or sense of urgency to manipulate an employee.
    • How to identity spoofed email addresses or domains and how to identify emails originating outside of your organization.
  • Be concerned if the requester is urging you to act quickly.
  • Verify payment and purchase requests in person, if possible, or by calling the person to make sure it is legitimate.
  • Always verify any change in account number or payment instructions with the person making the request. Do a callback using a phone number you have for them, not one contained in the email request.
  • Be careful with what you download. Never open an email attachment or click on a link in an email from someone you do not know.
  • Do not click on anything in an unsolicited email or text message asking to you to update or verify account information. Look up the company’s phone number or website on your own – do not use a number or link the potential scammer is providing.
  • Carefully examine the email address, URL, and spelling in any correspondence – scammers use slight differences to trick your eyes and gain your trust.
  • Be careful with what information you share online or on social media. By openly sharing things like schools you attended, pet names, family members, and your birthday, you can give the scammer all the information they need to guess your passwords or answer security questions.

What If My Company Falls Victim to a BEC Scam?

It is vital that your company acts quickly.

  • Contact your financial institution immediately.
  • Contact your local police department.
  • Contact your local FBI field office to report the crime.
  • Also, file a complaint with the FBI’s Internet Crime Compliance Center (IC3)
  • Report the scam to the Federal Trade Commission (FTC) - FTC Report Fraud
  • Contact your IT support.