What is Business Email Compromise and How to Educate Your Clients

Key Highlights

• The FBI’s Internet Crime Complaint Center (IC3) estimates 2023 losses for business email compromise scams to be $2.9 billion.¹
• According to Nationwide research, 22% of small businesses and 14% of mid-market businesses have already experienced a business email compromise scam.
• Email, websites, phone calls, and apps are common ways hackers deliver malware to a user’s computer or phone.²
• Business email compromise scams should be reported to the business’s local FBI field office and logged through the FBI’s IC3.

What is business email compromise (BEC)?

Cybercriminals continue to become more sophisticated, leveraging a wide range of tactics in order to attack their targets. One tactic that has increased in frequency and complexity over the past few years is the use of business email compromise (BEC) scams. In fact, according to Nationwide research, 22% of small businesses and 14% of mid-market businesses have already experienced a BEC scam.

A BEC scam is when a cybercriminal impersonates a seemingly legitimate source within their targets’ trusted networks (e.g., a senior-level employee, supplier, vendor, business partner or other organization) via email.

Cybercriminals use these emails to gain the trust of their target and trick them into believing they are communicating with a genuine sender. From there, the cybercriminal convinces their target to wire money, share sensitive information (e.g., customer and employee data, proprietary knowledge or trade secrets) or engage in other compromising activities.

BEC vs. phishing: What is the difference?

While BEC scams and phishing attacks are both cybercrimes stemming from fraudulent emails, there are some distinctions to consider, particularly as they relate to their approach, goals and objectives. Consider the following:

• Phishing: Phishing typically involves sending large amounts of email to a broad audience in an attempt to trick recipients into revealing sensitive information or clicking suspicious links. Often, phishing attacks are widespread and indiscriminate and have the ultimate goal of stealing personal information or spreading malware.
• BEC scams: BEC scams are highly targeted attacks on an entity where the perpetrator impersonates a high-level employee or trusted partner. Typically in BEC scams, the attacker gains access to a legitimate email account or carefully crafts a spoofed email that closely mimics the real one. BEC scams target specific employees—especially those with access to an organization’s finances—in an effort to trick them into making large financial transactions or obtaining sensitive corporate information.

Overall, phishing attempts cast a large net, while BEC scams focus on manipulating specific individuals within a targeted organization for financial gain or data theft.

What is the difference between spear phishing and phishing?

Both spear phishing and BEC scams are sophisticated forms of email-based cyberattacks that involve impersonation and social engineering. However, there are nuances to be aware of when comparing these two cybercrimes. Consider the following:

• Spear phishing: Spear phishing is a form of phishing where an attacker personalizes an email to a specific individual or organization. Unlike phishing emails that are generally broad in nature, spear phishing emails will often use specific details related to the target to make the message appear more credible. For instance, an attacker may impersonate a colleague to trick the recipient into revealing sensitive information, clicking on a malicious link or downloading a harmful attachment. In general, the goal of spear phishing scams is to steal personal information, gain unauthorized access to systems or install malware on a network.
• BEC scams: BEC scams are also highly targeted email attacks; but, unlike spear phishing attempts, BEC scams almost exclusively focus on deception within a business context. During a BEC scam, an attacker will impersonate a high-ranking executive or trusted business partner using a comprised or convincing spoof email account. One of the primary objectives of BEC scams is to trick the recipient (typically an individual in a financial or executive role) into authorizing large financial transactions or giving up proprietary business information.

Overall, while both spear phishing and BEC involve targeted attacks, spear phishing generally aims at gaining access to personal or organizational data, while BEC is more focused on financial fraud and corporate espionage. It’s also worth noting that BEC scams are sometimes referred to as CEO fraud and are often more about tricking executives and getting money, while anyone could be a target of spear phishing attacks. Further, BEC scams use spear phishing tactics, but not all spear phishing attempts could be classified as a BEC scam.

Common business email compromise scams

While cybercriminals will employ different tactics to deploy a BEC, these emails often follow similar scenarios. The following are some of the most common types of BEC fraud:³

• External payment fraud: Using this tactic, cybercriminals pretend to be a business’s supplier and request fund transfers to complete an invoice. The strategy relies on social engineering and is often achieved using a spoofed email.
• CEO fraud: With CEO fraud, scammers pose as high-level executives and request wire transfers or sensitive information. Attackers aren’t afraid to use psychology to their advantage. These criminals know that impersonating an individual or organization and urging immediate action can be incredibly persuasive. Often, these types of attacks threaten loss, punishment or added risk. Further, CEO fraud schemes often create a sense of urgency, pressuring the target to act quickly and impulsively.
• Email account compromise: In these types of BEC scams, an executive’s or employee’s email account is hacked directly. Then, the account is used to request invoice payments to vendors listed in their email contacts.
• Social engineering: Social engineering is a cyberattack method where a cybercriminal leverages human behaviors—such as a trust of authority, fear of conflict and promise of rewards—to gain access to technology, systems, funds or data. Social engineering attacks can be carried out in a variety of ways, including via digital impersonation, deceitful messages or malicious software (known as malware).
• Credential phishing: Credential phishing refers to cyberattacks where a malicious actor attempts to steal usernames and passwords. To accomplish this, the cybercriminal will typically send a fraudulent email or message that appears to come from a trusted source (e.g., a well-known company, financial institution or service provider). Within the message, the attacker will either ask for login information directly or include a link to a fake login website that closely resembles a legitimate one. Once the victim logs into the fake website, the attacker will have gained unauthorized access to the account.

Understanding the different types of BEC scams is crucial, as it can inform employee training and other preventive measures.

A business email compromise example within the insurance industry

The following is a real-world BEC claim example: The insured company was owed $50,000 by one of its customers for work the insured had performed. Via encrypted email, the insured relayed instructions on how to wire the money to its bank account. However, cybercriminals sent a fraudulent but very similar email to the customer, directing the funds to a different account. The email address used by the cybercriminals was designed to look like a legitimate account that the insured would use. Once those funds entered the fraudulent bank account, they were quickly withdrawn by the criminals and never recovered.

In this claim, expenses were limited to first-party losses incurred directly by the insured. The $50,000 amount stolen by the cybercriminals was refunded after subtracting the self-insured retention amount. Yet it’s possible in other similar scenarios that an insured might incur other first- or third-party losses. Costs related to forensic investigation, business interruption costs, notification costs, privacy fines or penalties can all be covered under cyber liability insurance policies. In this example, however, prompt action to review the pertinent loss documents, perform the investigation and evaluate coverage under the policy brought the matter to a swift and less costly conclusion.

How to prevent business email compromise scams

Some of the most common and difficult-to-spot strategies hackers use are BEC scams. In total, the FBI confirmed that global losses stemming from BEC scams have already surpassed $43 billion⁴. In addition to tricking companies into wiring money, criminals can use BEC scams to get employees to divulge sensitive data, financial information, proprietary information, and trade secrets. Despite the potential losses, 35% of small businesses and 33% of mid-market businesses still don’t feel adequately educated on BEC scams.

As such, educating clients is essential to minimizing the risk of BEC fraud. Even the best security system will fail if a company’s staff is tricked into wiring money or providing sensitive information to criminals. To help protect clients against BEC, agents should consider sharing the following strategies that businesses can employ:

• Set clear policies: Businesses should create policies that limit or eliminate the amount of sensitive information that is made available to employees, customers, and the general public. Organizations should never allow employees to give out sensitive information, such as passwords and credit card numbers, over the phone. As a rule, avoid emailing personal or financial information.
• Prohibit employees from posting work-related information on social media websites: BEC scammers may spend weeks or even months learning about an employee’s habits and tendencies before deploying their fraudulent email. A simple post about being out of the office for a short length of time could be all the information an attacker needs to pull off a scam.
• Train employees: Include BEC training as part of larger cybersecurity education initiatives. This training should include interactive examples of BEC scams that relate directly to your employees’ work activities. Employees should be instructed to avoid clicking on anything in an unsolicited email. Employees should also be encouraged to carefully examine email addresses and URLs in emails before taking any action, asking questions along the way if they feel they have received something potentially harmful. Employees should be overly suspicious of emails, particularly those that:
  • Come from unrecognized senders
  • Ask them to confirm personal or financial information
  • Aren’t personalized
  • Are vague
  • Are particularly urgent
  • Include threatening, frightening and persuasive language
• Verify payment and purchase requests: When possible, verify purchase requests in person. Additionally, those in charge of transferring funds or making payments should confirm any change in account numbers or payment procedures with the person making the request using contact information already on file — not the contact information found in the email requesting the change.

In the event a company falls victim to a BEC scam, it’s important for them to act quickly in response to the cyberattack. Business email compromise scams should be reported to the business’s local FBI field office or through the FBI’s Internet Crime Complaint Center IC3.

Cyberattack prevention

Cyberattacks, including BEC scams, aren’t going away. In fact, they’re becoming more sophisticated. It’s not enough to simply install antivirus and anti-malware software to prevent BEC scams. To truly protect your clients, it’s crucial that they and their employees stay aware and up-to-date on protection strategies against cyberthreats.

That includes researching and investing in technology solutions that can provide additional defenses against BEC scams. Software solutions, for example, can advise recipients when an email is from an external source, prevent an email from getting through if malware is detected, enforce basic password requirements, and provide even more sophisticated phishing attack detection tools. A small upfront investment may prevent a large loss down the road.