Business Email Compromise (BEC) is a sophisticated scam targeting businesses that conduct wire transfers and have suppliers abroad. Cybercriminals use various techniques to deceive company employees into making wire transfers to bank accounts thought to belong to trusted partners—except the money ends up in accounts controlled by the criminals. This scam is known for its reliance on social engineering tactics rather than relying heavily on technological vulnerabilities.

How BEC Works:

  1. Phishing: The attack often starts with phishing emails, where attackers aim to gain access to a corporate email account. They might use this access to gather information about the company’s billing systems, typical transaction volumes, and key personnel in finance and accounting.
  2. Email Account Compromise: Attackers may compromise the email account of a company executive or an employee through phishing or other means. Alternatively, they might create an email account with a similar appearance to a legitimate one (e.g., vs.
  3. Impersonation: With access to an email account, the attacker impersonates the owner of that account. They might pretend to be a company executive and send an email to the finance department authorizing a payment to a supplier, or they might impersonate a supplier and request payment for an invoice.
  4. Urgent Requests: The attackers often create a sense of urgency or confidentiality about the transaction, pressuring the employee to act quickly and without the usual verification processes.
  5. Payment to Fraudulent Account: The employee, believing the request to be legitimate, initiates a wire transfer to the account specified in the email, which is controlled by the attacker.

Variants of BEC:

  • CEO Fraud: Impersonating a high-level executive to deceive employees into making unauthorized wire transfers.
  • Account Compromise: An employee’s email account is hacked and used to request payments from vendors listed in their email contacts.
  • False Invoice Scheme: Companies that have existing relationships with suppliers are tricked into paying invoices issued by fraudsters.
  • Attorney Impersonation: Attackers pretend to be a lawyer or someone from the legal team needing urgent funds for confidential matters.
  • Data Theft: Targeting HR or finance employees to obtain sensitive information about employees or the company, often used for future attacks.

Protection Measures:

  • Verification Processes: Implementing multi-step verification for financial transactions, especially those that deviate from regular patterns.
  • Employee Training: Educating employees about the risks of BEC and training them to recognize phishing attempts and suspicious emails.
  • Payment Controls: Establishing internal controls for payment authorization, including thresholds that require additional verification.
  • Email Security: Using advanced email security solutions that can detect phishing attempts, spoofed emails, and unusual sender behavior.
  • Incident Response Plan: Having a plan in place for responding to incidents of BEC, including steps to report the incident to law enforcement and financial institutions.

BEC poses a significant threat to organizations of all sizes and industries, often resulting in substantial financial losses. Awareness, education, and robust security measures are key to defending against these highly targeted attacks.