What is Business Email Compromise (BEC)?

In 2022, losses from business email compromise (BEC) scams amounted to more than $2.7 billion, according to the FBI Internet Crime Complaint Center (IC3), up from $676 million in 2017.

BEC is a type of scam that involves taking over a business transaction using an email account to conduct a fraud scheme. These scams are designed to spoof or take charge of a business email account to create, redirect and/or change a transaction, commonly by someone posing as an executive, existing vendor or employee.

While BEC often results in stolen money, scammers also use it to steal valuable information from organizations and individuals.

5 Schemes Using Business Email Compromise

Business email compromise can take a variety of forms and is unfortunately limited only by the criminal's imagination.

Here are a few common types of BEC:

  • CEO fraud. In this scenario, a scammer impersonating a CEO or other high-level executive sends an email to employees with instructions to transfer money into an account the scammer controls. Another typical scheme is to send an email to an employee asking them to buy gift cards in bulk and then provide the cards' serial numbers in response.
  • Account takeover. Sometimes scammers get access to the email of a finance executive or accounting department employee at a company giving the scammer the ability to generate transactions and/or changes to the account.
  • False invoice scheme. A scammer can also pretend to be a legitimate vendor used by a company to send an invoice requesting the payment to be wired to a new bank account number or even a new bank. This scheme works especially well against companies that use overseas vendors, because the vendors may work with unfamiliar financial institutions.
  • Third-party impersonation. Scammers can gain access to the email system of an attorney, vendor, accountant, human resources, payroll or other trusted party and send out emails requesting payment to an account controlled by the scammers. This impersonator can also request sensitive information and use that for other schemes.
  • Data theft. Scammers target human resources departments to steal the personal information of employees or customers, including addresses, phone numbers and other information that can be used for identity theft and other fraudulent purposes.

Examples of Business Email Compromise

Oftentimes, a compromised email account will request an urgent or immediate response, encouraging respondents to send a rushed reply without stopping to think or question first. These emails are often sent at a busy time, such as late afternoon or on a Friday evening, when employees are more likely to be hurried and tired.

Some common BEC scenarios include:

  • A scammer posing as an employee of a vendor sends an invoice that looks legitimate for mechanical work and requests payment to a new account number.
  • A "property management company" sends a notice that a lease is about to expire and a deposit is needed urgently to hold the space.
  • A scammer posing as a real estate agent, escrow officer or a title company requests a home buyer to unexpectedly change the transaction details such requesting a wire transfer instead of a cashier's check or updating the bank account and routing number to divert the funds.
  • An email appearing to be from the CEO to a finance employee requests a wire transfer for a down payment on the acquisition of a new company – and demands secrecy because the deal isn't finalized.

The above schemes are examples of how a scammer will use your everyday business practices to mimic you and take advantage of your transactions to create immediate financial loss.

How Does a Business Email Compromise Attack Work?

How do scammers gain access to a legitimate email account, or create a convincing fake one, in order to get you or your employees to send them money?

Common methods used in a BEC scam are:

  • Phishing. Phishing is a scheme that scammers use to trick people into believing they're receiving a legitimate email. Oftentimes, these phishing emails ask recipients to verify or update your personal information by clicking a link directing you to a bogus website. This social engineering tactic tricks people into giving up their personal information such as username and password.
  • Malware. Scammers are adept at using "malware," which is malicious software designed to disrupt computers and servers so they can gain access to the data and internal systems of a company. They then use that access to view legitimate emails, especially to find out who is likely to be sending or receiving money so they can target them. These scammers use social engineering to watch email exchanges for weeks in order to find the best ways to pull off their fraud. While they're in the system, they can also gather personal information to scam employees and customers or sell their personal information.
  • Spoofs. Scammers can skim logos, website information and email addresses from the internet and use them to create realistic-looking emails with a variation on an actual address. For example, they can change one or two letters in a company's or individual's name, or use a different domain name, but follow the same format as a typical company's email address, so that the email looks legitimate at first glance.

How to Reduce Your Risk From Business Email Compromise

While every company should have systems in place to protect data and prevent business email compromise attacks, it's also smart to educate yourself and your employees about BEC so that you can take steps to reduce your risk of being victimized.

Be on the lookout for signs that an email may not be what it seems:

  • Requests for unexpected changes to a transaction. Fraudsters will often request a sudden or unexpected change to wires, ACH instructions, payment methods or mailing addresses in order to maliciously redirect funds.
  • Requests to urgently complete a transaction. Some emails lure you into completing a request by creating a false sense of urgency or threatening you with consequences if you do not act. Be wary of messages marked with “final notice" or “action required."
  • Requests to not communicate with others. A fraudster will often ask you to keep the request confidential, pressure you to not speak to anyone, ask you to only communicate via email, or direct you to a new or unknown phone number.
  • Requests for personal information which may be used for your accounts. Given the prevalence of scams, it's extremely unlikely that any legitimate company will request that you send personal information via email. If you're in doubt about an email's legitimacy, pick up the phone and talk directly to your contact at the company it claims to be coming from.

You can significantly reduce your fraud exposure by calling the person or company that the email seems to be from and asking them to verify its authenticity. They may be just as surprised as you are to hear they have asked you for money or personal information, and completely unaware that their email account has been hacked. Just make sure, before you call, that you've obtained their number from a trustworthy source and you're not relying on a fake phone number provided within the suspect email.

Steps to Take If Your Email is Compromised

Depending on their level of sophistication, many business email compromise scammers transfer funds quickly from the deposit account so that they — and your money — are long gone by the time you realize you've been scammed. Moving quickly also reduces the possibility that the criminals will be caught.

If you think you were the victim of an email compromise, it is important to respond quickly yourself:

This article is for general information and education only. It is provided as a courtesy to the clients and friends of City National Bank (City National). City National does not warrant that it is accurate or complete. Opinions expressed and estimates or projections given are those of the authors or persons quoted as of the date of the article with no obligation to update or notify of inaccuracy or change. This article may not be reproduced, distributed or further published by any person without the written consent of City National. Please cite source when quoting.