- The FBI’s Internet Crime Complaint Center (IC3) estimates 2021 losses for business email compromise scams to be $6.9 billion.1
- Email is commonly cited as the No. 1 way hackers deliver malware to a user’s computer2
- Business email compromise scams should be reported to the business’s local FBI field office and logged through the FBI’s IC3.
Business Email Compromise Explained: View the infographic
What is Business Email Compromise (BEC)?
Business email compromise, also referred to as BEC, is a form of fraud by which an attacker repetitively impersonates a seemingly legitimate email sender, such as a senior employee, vendor, organization, or company. This is done to trick an email recipient into wiring money, providing confidential information, or performing similar compromising actions, all of which can defraud a business and its employees, customers, or partners.3
BEC scams are part of a larger cyberattack strategy known as social engineering. This strategy takes advantage of human behavior (e.g., a trust of authority, fear of conflict or the promise of deals or rewards).
By preying on the trust of others, social engineers can gain access to computer systems and data simply by exploiting the weakest link in a security system: employees. Social engineers don’t need to have expert knowledge of a company’s computer network to break into a business. All attackers need to do is trick employees into giving out passwords, wiring money or believing that a malicious email is authentic.
When it comes to executing BEC fraud, an attacker may use social engineering techniques to3:
- Spoof a legitimate email account or website. For instance, if a CEO’s email is email@example.com, an attacker may alter it slightly to execute their scam and avoid raising suspicions (e.g., firstname.lastname@example.org).
- Send BEC phishing emails. BEC phishing is one of many types of cyberattacks in which a hacker disguises themselves as a trusted source online in order to acquire sensitive information. However, more resourceful criminals resort to a modified and more sophisticated technique called “spear-phishing,” in which they use personal information to pose as colleagues or other sources specific to individuals or businesses. With spear-phishing, cybercriminals narrow down the scope of their attack to a smaller group—sometimes just a handful of individuals. By doing this, hackers can conduct research and make the BEC phishing email much more convincing based on a victim’s profile or online activity. Malicious hackers can find most of the information needed to carry out a spear-phishing attack right on the internet, particularly on company websites and social networking sites. It’s not uncommon for phishers to use a target’s personal information (e.g., name or address) or the personal information of their friends, family and colleagues as leverage in an email.
- Introduce malware into a target’s system. In order to enhance the success of a BEC scam, the hacker may introduce malware, allowing them to find any information they can, then use it to successfully carry out their scam. Getting into the system is usually accomplished through email attachments or downloadable files from a website. Emails that contain malware often employ scare tactics (e.g., the threat of legal fees, termination and bankruptcy) to trick the victim into taking a specific action (e.g., clicking a link, downloading malicious software or completing a fraudulent form). In fact, email is commonly cited as the No. 1 way hackers deliver malware to a user’s computer.5
Protecting your clients from BEC scams
Cybercriminals have a variety of tools and techniques at their disposal, including malware, ransomware and disruptive denial-of-service attacks. However, some of the most common and difficult-to-spot strategies hackers use are BEC scams.
The FBI’s Internet Crime Complaint Center (IC3) reported that 2021 losses from BEC scams exceeded $6.9 billion1. In addition to tricking companies into wiring money, criminals can use BEC scams to get employees to divulge sensitive data, financial information, proprietary information, and trade secrets. As such, understanding common business email compromise scams and how to protect your business is crucial.
Common BEC scams
While cybercriminals will employ different tactics to deploy a BEC, these emails often follow similar scenarios. According to the FBI, the following are some of the most common types of BEC fraud6:
- False invoice scheme. Using this tactic, cybercriminals pretend to be a business’s supplier and request fund transfers to complete an invoice. The strategy relies on social engineering and is often achieved using a spoofed email.
- CEO fraud. With CEO fraud, scammers pose as a high-level executive and request wire transfers. Attackers aren’t afraid to use psychology to their advantage. These criminals know that impersonating an individual or organization and urging immediate action can be incredibly persuasive. Often, these types of attacks threaten loss, punishment or added risk.
- Account compromise. In these types of BEC scams, an executive’s or employee’s email account is hacked directly. Then, the account is used to request invoice payments to vendors listed in their email contacts.
- Attorney impersonation. Here, attackers impersonate a corporate lawyer or law firm. Via email, attackers will claim they are handling confidential, time-sensitive matters that require the immediate transfer of funds. It’s not uncommon for attackers to reference publicly available information — such as news regarding mergers and acquisitions — to make emails sound more convincing.
- Data theft. In these scams, attackers will pose as human resource professionals or other employees who work in functional areas of the company. In these attacks, criminals aren’t after money, but rather sensitive data (e.g., names, addresses or birthdays). Cybercriminals can then use this information to carry out future attacks.
Understanding the different types of BEC scams is crucial, as it can inform employee training and other preventive measures.
A BEC claim example
The following is a real-world BEC claim example: The insured company was owed $50,000 by one of its customers for work the insured had performed. Via encrypted email, the insured relayed instructions on how to wire the money to its bank account. However, at the same time, cybercriminals sent a fraudulent but very similar email to the customer, directing the funds to a different account. The email address used by the cybercriminals was designed to look like a legitimate account that the insured would use. Once those funds entered the fraudulent bank account, they were quickly withdrawn by the criminals and never recovered.
In this claim, expenses were limited to first-party losses incurred directly by the insured. The $50,000 amount stolen by the cybercriminals was refunded after subtracting the self-insured retention amount. Yet it’s possible in other similar scenarios that an insured might incur other first- or third-party losses. Costs related to forensic investigation, business interruption costs, notification costs, privacy fines or penalties can all be covered under cyber liability insurance policies. In this example, however, prompt action to review the pertinent loss documents, perform the investigation and evaluate coverage under the policy brought the matter to a swift and less costly conclusion.
Guarding against and responding to BEC infographic
Protecting against BEC scams
Above all, educating employees is essential to minimizing the risk of BEC fraud. Even the best security system will fail if a company’s staff is tricked into wiring money or providing sensitive information to criminals. To help protect against BEC, businesses should consider employing the following strategies:
- Set clear policies. Businesses should create policies that limit or eliminate the amount of sensitive information that is made available to employees, customers, and the general public. Organizations should never allow employees to give out sensitive information, such as passwords and credit card numbers, over the phone. As a rule, avoid emailing personal or financial information.
- Prohibit employees from posting work-related information on social media websites. BEC scammers may spend weeks or even months learning about an employee’s habits and tendencies before deploying their fraudulent email. A simple post about being out of the office for a short length of time could be all the information an attacker needs to pull off a scam.
- Train employees. Include BEC training as part of larger cybersecurity education initiatives. This training should include interactive examples of BEC scams that relate directly to your employees’ work activities. Employees should be instructed to avoid clicking on anything in an unsolicited email. Employees should also be encouraged to carefully examine email addresses and URLs in emails before taking any action, asking questions along the way if they feel they have received something that is potentially harmful. Employees should be overly suspicious of emails, particularly those that:
- Come from unrecognized senders
- Ask them to confirm personal or financial information
- Aren’t personalized
- Are vague
- Are particularly urgent
- Include threatening, frightening and persuasive language
- Verify payment and purchase requests. When possible, verify purchase requests in person. Additionally, those in charge of transferring funds or making payments should confirm any change in account numbers or payment procedures with the person making the request using contact information already on file — not the contact information found in the email requesting the change.
In the event a company falls victim to a business email compromise scam, it’s important for them to act quickly. Business email compromise scams should be reported to the business’s local FBI field office or through the FBI’s Internet Crime Complaint Center IC3.
Cyberattacks, including BEC scams, aren’t going away. In fact, they’re becoming more sophisticated. It’s not enough to simply install antivirus and anti-malware software to prevent BEC scams. To truly protect yourself, it’s crucial that companies and their employees stay aware and informed on growing trends in cybercrime and up-to-date protection strategies.
That includes researching and investing in technology solutions that can provide additional defenses against BEC scams. Software solutions, for example, can advise recipients when an email is from an external source, prevent an email from getting through if malware is detected, enforce basic password requirements, and provide even more sophisticated phishing attack detection tools. A small upfront investment may prevent a large loss down the road.
- BEC scams are a form of fraud by which an attacker repetitively impersonates a seemingly legitimate email sender, such as a senior employee, vendor, organization or company
- By preying on the trust of others, social engineers can gain access to computer systems and data simply by exploiting the weakest link in a security system — employees
- Above all, educating employees is essential to minimizing the risk of BEC scams