Business Email Compromise (BEC) is a scam that seeks to defraud a company through email. Because so much of business is conducted through email, it makes this scheme highly damaging if it succeeds. According to the FBI’s 2023 Internet Crime Report, the Internet Crime Complaint Center received 21,489 BEC complaints with adjusted losses of over $2.9 billion last year alone. BEC relies on victim’s trust and carelessness, which is why it is important to be wary of the ways in which this scheme can take place.

Examples of Business Email Compromise

Scenario 1: Fake invoice scheme. You receive an email from a vendor asking you to pay an overdue invoice and to send it to an updated mailing address.

Scenario 2: CEO impersonation. You receive an email from the CEO of your company. She tells you that she needs you to buy gift cards for an upcoming employee appreciation event but to not tell anyone because it’s supposed to be a surprise.

Scenario 3: Data theft. You receive an email request from HR to validate your bank account number before they can issue your paycheck.

In all of these cases, the criminals pretended to be another entity you trust such as your CEO, vendor, or coworker. To push you into responding quickly, criminals stress the urgency of the payment or action. In all of these instances, the criminal was specifically targeting one individual to advance their nefarious behaviors. Because this crime targets individuals, knowing the tactics behind BEC attacks will help you determine an email’s legitimacy.

How does Business Email Compromise work?

In a BEC scheme, fraudsters rely on a few tactics that they hope the victim will not notice.

• Email spoofing. This criminal’s email address could appear to be from a trusted source, but upon further inspection, the address is formatted differently or spelled incorrectly.
  • For example, the fake email address could read “name@yourc0mpany.com” compared with the correct email address reading “name@yourcompany.com.”
• Social engineering. BEC attacks are more difficult to detect because they don’t use malware or other tactics that can be easily monitored by cyber security defenses. Instead, they focus on tricking specific individuals to act on their behalf. If you feel like you are being singled out for a task that you would not normally complete or one that seems odd, it might be fraudulent.

How can you protect your business?

In addition to never sharing your passwords and protecting confidential information, there are a few things your business can do to strengthen its security.

1. Train employees on safe digital habits. Because individuals are the targets of these attacks, making sure each and every employee knows how to stay safe online is a vital first step. To learn more about email safety, read our article on Phishing Attacks.
2. Be aware of strange behavior. Be cautious of unsolicited emails from people you do not know. If in doubt, call the individual who sent you a suspicious message. If that person tells you that they haven’t contacted you regarding the urgent matter, you know that the message was a criminal attack.
3. Call to verify. Make it a habit to call to verify any changes requested by email. This could include requests such as adding a signer, sending a wire, changing phone numbers or email addresses, confirming wire instructions, and anything in between. Calling the person will validate the legitimacy of the request.