Stay On Top Of Business Email Compromise

Business Person Checking Email on Mobile Device

*Originally Posted July 11, 2016. Updated May 27, 2020*

You’ve heard the old saying: “Don’t open an email from someone you don’t know.” You assume that your employees understand how to spot a phishing scam with illegitimate hyperlinks or suspicious attachments with odd file extensions. But what if they receive an email that appears to come from your financial adviser, your business’ trusted vendor, or even you? The Federal Investigation Bureau (FBI) has anticipated an uptick in BEC scams during the coronavirus pandemic. Since the beginning of the crisis, businesses are seeing 80% of scam emails are using COVID-19 messages.

Business email compromise (BEC) has become increasingly popular amongst cybercriminals seeking money and personal information from businesses. Scammers target businesses that utilize wire transfers, as well as companies that rely on foreign suppliers and third-party vendors or customers. Impersonating these existing and trusted business relationships is what makes BEC almost impossible to detect and difficult to manage after-the-fact.

Between June 2016 and July 2019, there were 166,349 domestic and international cases of BEC generating $26.2 billion in total exposed monetary losses. BEC scams are now the biggest problem for U.S. companies, far outpacing ransomware attacks. 

Four Methods of Business Email Compromise Scams

The difficulty in detecting BEC lies in the way scammers use your existing professional relationships to gain access to your business’ funds or personal information. Criminals use BEC to execute four specific types of scams. Once the scammers gain access into your company’s email accounts, the possibilities are endless.

Method #1: Business Executive Scam

Business Executive Scam Infographic final
Scammers will use your email address to contact an employee responsible for your company’s finances, requesting a large wire transfer into their fake accounts. Fraudsters will usually indicate that the transfer must be done urgently and quietly. Since most businesses utilize email as their main form of communication between employees and departments, this type of BEC is almost always detected after the transfer has been made.


Method #2: Supplier Swindle Scam

Supplier Swindle Scam Infographic final 2The second method targets your company’s foreign suppliers or overseas vendors, again, hoping to authorize wire transfers to a fake account. Criminals can hack into your supplier’s email account and request a wire transfer to a “new” account, disclosing that the supplier’s location overseas has moved or changed.


Method #3: Bogus Invoice Scam

Bogus Invoice Scam Infographic final 2The third method targets your customers or third-party vendors, hoping to collect their money through false invoice requests. Fraudsters can hack into your employees’ emails and send out urgent invoices, similar to the method used with overseas suppliers.


Method #4: Personal Data Scam

Personal Data Scam Infographic final 2Unlike the first three methods, this final method focuses on stealing your employees’ personal information. Fraudsters target your human resources’ email accounts to obtain personally identifiable information (PII), specifically W-2 information. Emails are sent from your HR representative’s hacked email account to other employees, asking to either provide or verify their sensitive information.

Tips to Protect Your Business 

Business email compromise scams have so many layers of potential compromise and can impact anyone associated with a business. Keep yourself, your employees, and vendors in the know about BEC and other business scams by following these tips:

  1. Develop and implement a company-wide security awareness program. Make it everyone’s priority to protect company information for the benefit of your employees, your customers, and the long-term health of your business.
  2. Don’t rely on email alone: confirm requests for transfers of funds by using phone verification or face-to-face meetings. Only use previously known phone numbers to authenticate transfer requests and verify the requests in person whenever possible.
  3. Carefully scrutinize all email requests for the transfer of funds. Check to see if there are small variations in the email addresses that are out of the ordinary.
  4. Harden your networks, especially for mobile— Threats to mobile devices may include rogue applications, spyware, and unsecured Wi-Fi connections, and even fake networks. Employee mobile devices used for business email and other work purposes are easy targets for cyberthieves, creating numerous gateways into your network.

Continue following Fighting Identity Crimes for the latest breach and scam updates, ID protection news and tips from our industry experts.

Follow us on social!
Facebook | Twitter | LinkedIn 


The views and opinions expressed in this article are those of EZShield Inc. alone and do not necessarily reflect the opinions of any other person or entity, including specifically any person or entity affiliated with the distribution or display of this content.

John is General Counsel and Chief Privacy Officer of Sontiq, the parent company of the EZShield and IdentityForce brands. He is a Certified Compliance...
Read more about John Burcham.

Leave a Comment.