What is Business Email Compromise (BEC)? How to Identify & Protect Yourself

Barbara Cook
By Barbara Cook
Barbara Cook

Barbara Cook

Barbara is a financial writer for Tipalti and other successful B2B businesses, including SaaS and financial companies. She is a former CFO for fast-growing tech companies with Deloitte audit experience. Barbara has an MBA from The University of Texas and an active CPA license. When she’s not writing, Barbara likes to research public companies and play Pickleball, Texas Hold ‘em poker, bridge, and Mah Jongg.

Follow

Updated September 18, 2024
Finops
Fraud Prevention
Risk Management

Business email compromise is a widely used scam with variations. Imposters use BEC to steal money or confidential information from companies. 

This article focuses on what business email compromise is and how to prevent BEC-related business losses. 

What is Business Email Compromise (BEC)?

Business email compromise (BEC) is a financial scam. A thief fakes or infiltrates a legitimate business email account. The cyber criminal may request fund transfers or gift cards or get confidential Personally Identifiable Information (PII). Through social engineering, spoofing emails, and identity fraud, BEC scammers trick someone into making a wire transfer to an account they control.

Understanding Business Email Compromise

Criminals conduct business email compromise attacks in different ways to steal money. 

Spoofing emails by slightly changing the sender’s legitimate email address and URL in links is one way cybercriminals perpetrate their scams. Look for misspellings or slight differences that could fool you when you get unexpected emails asking for money or accessing sensitive information through a data breach. 

CEO, CFO, vendor, or attorney impersonation is often part of the cybercrime when a funds transfer is requested in the con. 

Malware may lurk in an attachment, creating a cybersecurity risk or breach if you open the nefarious attachment. 

How Do BEC Attacks Typically Work?

BEC attacks typically work by using fake phishing emails or embedded links in these spoofed emails. Scammers may impersonate the CEO or another authorized executive like the CFO, an attorney, or a vendor in an email. They’ll direct an employee to make a wire transfer to an account that the cyber criminal controls. 

Scammers may also use fake websites, social media like LinkedIn, malware, or spoofed phone calls in different types of business email compromise attacks.

Business email compromise attacks may obtain Personally Identifiable Information, confidential information, or passwords for monetary gain. 

If a BEC scammer impersonates or spoofs the CEO of a company in an email, it’s known as CEO fraud, which falls within the larger category of business email compromise. BEC scams increasingly store illicit gains in cryptocurrency. 

Cyber-criminals may request payments in cryptocurrency or later use money laundering that disperses the money from wire transfers to their controlled bank accounts into crypto wallets or other investment assets. 

Examples of Business Email Compromise

Examples of business email compromise include redirecting legitimate vendor or customer payments and various phishing scams. Real estate transactions are exploited using both of these BEC methods. Gift card scams for fake non-profit donations are spear-phishing attacks.

Redirecting Legitimate Vendor or Customer Payments

Criminals may notify companies via email of changed remittance information for sending payments. Instead of payments going to the actual vendor’s bank account or the seller company’s bank account, the criminals receive the redirected payments in their controlled bank accounts. 

Legitimate vendors used in BEC crimes may be foreign, where the payment method is wire transfer. 

As a result, the victimized companies still owe the vendors or won’t be paid for sales or services provided to their customers. 

Phishing Scams

Criminals pose as the CEO, member of the finance department, or another authorized person from the targeted company to request payments or gift card identifying numbers through an employee’s email account. Instead, the cybercriminals may request personally identifiable information like employee W-2 information or other sensitive information.

Their goal is to extract money from the company in a scheme, sell the sensitive data obtained from compromised accounts, or file a fraudulent income tax return using PII to receive tax refund payments. 

Real Estate Transaction Scams

Real estate transactions involve the transfer of large sums of money, making them attractive to BEC crypto criminals. Imposters for title companies, attorneys, real estate agents, and other parties in a real estate transaction ask to redirect payments to their controlled bank accounts or an account set up by a “money mule” in a confidence/romance scheme. All parties in a real estate transaction can be victimized. 

Non-Profit Gift Card Donations

In a gift card scheme, the BEC scammer takes over a business email account and directs people on the email distribution list to make gift card donations to a cause and email photos of the gift card number and PIN. 

How to Identify Potential BEC Scams

Identify potential BEC (business email compromise) scams by taking these 8 steps:

  1. Check the source of an email sender and URL links closely for signs they’re not legitimate. 
  2. Look for misspellings.
  3. Investigate whether an emailed urgent payment request is a scam before paying. 
  4. Call a vendor directly using procurement vendor file information to find out if they actually changed their remittance bank account or contact information and verify the vendor.
  5. Reach out through normal communication channels to ask company executives directly if they requested a funds transfer.
  6. Confirm bank account change requests for an employee’s payroll direct deposit. 
  7. In real estate transactions, don’t comply with revised wire transfer payment instructions (with different bank accounts) without calling the title company directly at their published phone number. 
  8. Beware of email requests for sensitive business information, including passwords, intellectual property, or Personally Identifiable Information (PII) like W-2 information. 

How to Protect Yourself from Business Email Compromise Attacks

To protect yourself and your business from email compromise attacks, the FBI suggests taking the following 7 steps:

  1. “Use secondary channels or two-factor authentication to verify requests for changes in account information.
  2. Ensure the URL in emails is associated with the business/individual it claims to be from.
  3. Be alert to hyperlinks that may contain misspellings of the actual domain name.
  4. Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  5. Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  6. Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  7. Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.”

What to Do as a Victim of a Business Email Compromise Attack?

According to the Federal Bureau of Investigation (FBI’s) 2021 Internet Crime Report, you should take these 4 steps in response to a business email compromise (BEC) attack:

  1. “Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity.
  2. File a detailed complaint with www.ic3.gov. It is vital the complaint contain all required data in provided fields, including banking information.
  3. Visit www.ic3.gov for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations, like trends targeting real estate, pre-paid cards, and W-2s, for example.
  4. Never make any payment changes without verifying the change with the intended recipient; verify email addresses are accurate when checking email on a cell phone or other mobile device.” 

The FBI Internet Crime Complaint Center (IC3) started a Recovery Asset Team (RAT) in 2018 for better communication with financial institutions and BEC attack follow-up. An IC3 analyst acts as a liaison between financial institutions and FBI field offices assigned to investigate and respond to BEC attacks. Before contacting an FBI field office, the IC3 requests the recipient bank to freeze funds transferred to domestic accounts by a victim in a fraudulent funds transfer scheme. 

If you’re a victim of a BEC attack, it’s possible that your funds can be recovered. But the recovery of money or other stolen assets isn’t likely.  

What is the Main Goal of a BEC Attack?

The main goal of a BEC attack is to fool a business into sending money to an account controlled by a cybercriminal through a spoofed email in which the attacker poses as someone legitimate. Instead, a BEC attack may request sensitive and personally identifiable information for financial gain.

Who is Responsible for BEC Attacks?

In the U.S., the Federal Bureau of Investigation (FBI) is responsible for domestic and international BEC attacks affecting businesses (and personal accounts). The FBI established the Internet Crime Complaint Center, known as IC3, for incident complaint reporting, analyst investigation, and liaison with financial institutions and FBI field offices for follow-up, asset recovery, and convictions. 

The FBI’s IC3 unit publishes statistics for internet crimes, including business email compromise and email account compromise, provides press releases regarding real BEC/EAC cases, and offers guidance to prevent future attacks. 

Phishing vs. Business Email Compromise

In phishing vs. business email compromise, BEC is one type of phishing attack that uses deceptive emails, called a spear-phishing attack. In a spear-phishing cyber attack, the scammer uses a fake email (sometimes similar to a known brand) to convince a business victim to provide confidential data, to accomplish data theft through malware, or request a funds transfer to the cyber criminal’s account.

Using Technology to Prevent BEC Attacks

Your company must implement strong email security to prevent data loss and fraudulent payments. And using modern technology software with built-in security measures and RegTech compliance is one of the best ways to protect yourself from BEC attacks. 

AP automation software from Tipalti provides technology that will help you prevent BEC attacks and respond to accounts payable reverse fraud, reducing fraudulent payment risks. In accounts payable reverse fraud, scammers create fake vendors by creating a website or vendor invoices or redirecting legitimate vendor accounts to receive payments. Tipalti software can act as your “internal financial crimes unit,” according to the company. 

Tipalti is a secure cloud-based software platform for accounts payable and payments, incorporating enterprise-grade security. 

Tipalti uses global external tax databases to verify vendors when vendors are onboarded through its supplier portal. Tipalti’s built-in RegTech functionality screens vendors for blacklists like OFAC sanctions and screens for anti-money laundering (AML) compliance. 

Besides significantly increasing your company’s efficiency, Tipalti AP automation and global payment software features are tools for fighting business email compromise and other types of fraud. 

Recommendations

You may also like