Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is a type of phishing attack that targets organizations, with the goal of stealing money or critical information. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, such as:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards.
- A customer service representative asks you to update your personal information, such as your credit card number or Social Security number.
The email may contain a link that, when clicked, will take the victim to a fake website that looks like the real website of the company they are supposedly doing business with. Once the victim enters their personal information on the fake website, the criminals can steal it.
BEC scams are on the rise, and they are one of the most financially damaging online crimes. In 2022, the FBI received over 24,000 complaints about BEC scams, with losses totaling over $2.4 billion.
10 Types of Business Email Compromise (BEC) Scams
- CEO Fraud: Impersonating a high-level executive, the scammer requests an urgent wire transfer from an employee, typically in the finance department.
- Account Compromise: An employee’s email account is hacked and then used to make requests for invoice payments to fraudulent bank accounts.
- Fake Invoice Scheme: Scammers send a fake invoice to a company’s billing department, with the payment instructions directed to a fraudulent account.
- Vendor Email Compromise: A legitimate vendor’s email account is compromised and used to send fake invoices to the company.
- Data Theft: Scammers target employees with access to sensitive information, such as HR records or financial data, to gain unauthorized access.
- Attorney Impersonation: The scammer poses as a lawyer or legal advisor and requests confidential information, often under the guise of an urgent or sensitive legal matter.
- Payroll Diversion: An employee’s direct deposit information is altered, sending their salary to a fraudulent bank account.
- Tax Fraud: Fraudsters use stolen employee information to file false tax returns and claim refunds.
- Real Estate BEC: Scammers target real estate transactions, such as closings, and alter the payment instructions to divert funds to fraudulent accounts.
- M&A Fraud: Emails from scammers posing as executives or consultants involved in mergers and acquisitions request sensitive information or funds transfers.
10 Q&A on Business Email Compromise (BEC) Scams
- Q: What is a BEC scam?
A: A BEC scam is a type of fraud where scammers use email to impersonate someone within a company or business relationship to trick employees into transferring funds or sharing sensitive information. - Q: How do BEC scams work?
A: BEC scams typically involve email spoofing, social engineering, and sometimes malware or phishing to gain access to email accounts or deceive employees into taking fraudulent actions. - Q: Who is targeted in BEC scams?
A: BEC scams often target employees with access to company finances or sensitive information, including those in finance, HR, and executive roles. - Q: How can I recognize a BEC scam?
A: Look for unusual or urgent requests, discrepancies in email addresses or domain names, and changes in payment instructions or account information. - Q: What should I do if I suspect a BEC scam?
A: Verify the request through another channel, such as a phone call, and report your suspicions to your IT or security department. - Q: How can I prevent BEC scams?
A: Implement email security best practices, provide employee training, and establish protocols for verifying and approving financial transactions and changes to sensitive information. - Q: What are the financial impacts of BEC scams?
A: BEC scams can result in significant financial losses for businesses, as well as reputational damage and potential legal liabilities. - Q: How do scammers choose their targets?
A: Scammers often use publicly available information, such as company websites and social media, to identify potential targets and gather information to craft convincing emails. - Q: How do scammers gain access to email accounts?
A: Scammers may use phishing attacks, social engineering, or malware to compromise email accounts and gather information for their scams. - Q: What should I do if my company has fallen victim to a BEC scam?
A: Report the incident to law enforcement, notify your financial institution, and take steps to secure your email accounts and systems.
Preventing and Reporting BEC Scams
Preventing BEC Scams
- Implement multi-factor authentication for email accounts.
- Train employees to recognize and report suspicious emails and requests.
- Establish protocols for verifying and approving financial transactions and changes to sensitive information.
- Use email security tools to detect and block phishing and spoofing attempts.
- Limit the amount of publicly available information about your organization and employees.
Reporting BEC Scams
- Report the scam to your organization’s IT or security department.
- If funds have been transferred, contact your financial institution immediately.
- Report the incident to your local law enforcement agency.
- File a complaint with the FBI’s Internet Crime Complaint Center (IC3) at www.ic3.gov.
- Notify any affected clients, vendors, or partners to help prevent further damage and loss.
More About “BEC Scams” Here…