Business email compromise (BEC)

Business email compromise (BEC) is a type of email fraud. In the most common scenario, an employee receives an email purporting to be from a company executive requesting that a payment be made to a specific client or account.

4 min read

4 min read

What is BEC?

According to the FBI, losses caused by BEC scams surpassed $1.86 billion in 2020.

How does it work?

Business email compromise (BEC) occurs when a cybercriminal sends an email specifically designed to mimic a legitimate request from a known source.

Commonly, the email is an urgent request for funds from the CEO or other high-ranking executive, instructing the employee to transfer money from a corporate account.

In reality, the email comes from a criminal who has hacked the CEO’s account information or spoofed their email address to make it look legitimate. Language such as “We need this funding immediately to close this deal” or “I know I can trust you to get this done right away” is often used to add a sense of urgency.

Clicking “Reply” to such an email will send the response directly to the scammer. And of course, any funds sent by the email recipient will end up in the scammer’s account.

Why you should be concerned about BEC attacks

According to the FBI’s 2020 Internet Crime Report, BEC scams are the costliest scam of all. Losses emanating from 19,000 reports of these scams reached a total of nearly $2 billion—more than the combined losses from the next six costliest types of cybercrime combined.

According to the Association for Financial Professionals, 74% of organizations were targets of payment scams in 2020.

And with more employees working remotely due to the ongoing Covid-19 pandemic, criminals are broadening their avenues of attack. According to the FBI, the scams have evolved to include requests for W-2 information, instructions for wire transfers to fake real estate title companies, and demands to send large numbers of gift cards.

While all sectors are vulnerable to attack, government entities are particularly at risk, because of the detailed information required by U.S. transparency regulations. With easy access to names and details about executives, vendors, policies and contractors, criminals can customize their attacks to make them more believable.

In one case reported by the FBI, $1.6 million was stolen after a government official received an email with new instructions that came from a legitimate vendor email address, but was actually sent by a criminal. In another, a city government office received a spoofed email, supposedly from a known contractor requesting a change in payment method. This scam cost the city $3 million.

How to protect your organization

Your first line of defense is employee education that covers spam, phishing and social engineering—the leading techniques used for BEC. Workers at every level of your organization should understand the prevalence of BEC and what to look for, including urgent requests, typos and suspicious attachments.

Employees with any concerns about an email should call the sender directly using a confirmed corporate phone number – not a phone number within the email.

Read more

Staff should be aware that reusing passwords is another common cause of BEC. Using the same password for work accounts and Facebook, for example, could lead to email compromise if  Facebook undergoes a data breach that exposes passwords.

A reliable multilayered security solution is also a must. In addition to endpoint security, make sure you have email protection against spam, phishing and malicious attachments. Having the capacity for rules-based filtering and email quarantines can also help block unsolicited email and suspicious emails—even those with spoofed sender addresses.

Implementing multifactor authentication will help prevent unauthorized access to your network and reduce the chance of fraud if employees reuse passwords or work credentials are stolen.  

If you’re using cloud-based apps, implementing ESET Cloud Office Security adds email protection as well as safeguarding sensitive info such as vendor lists or legal contracts stored in the cloud.

These tips from the FBI can be applied by businesses of every size:

  • Double-check email addresses.  Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eyes and gain your trust. For example, could become (note the missing ‘r’ in ‘your’).
  • If any payment or transaction changes are requested in an email, verify them either in person or using a known telephone number – not the number in the email.
  • Be wary of last-minute changes in payment instructions or a change in the recipient’s account information. Again, verify via phone or in person.

More tips

  • Be suspicious of unexplained urgency concerning payment requests.
  • Contact vendors through numbers that you have on file instead of those sent in emails.
  • Set up two-factor authentication (2FA) for all accounts to prevent unauthorized access. 

If you or your company fall victim to a BEC scam, it’s important to act quickly:

Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.

Next, contact your local FBI field office to report the crime and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

Combat BEC scams now


Protect your organization against BEC scams by using ESET multi-layered endpoint security solutions, including LiveGrid® protection via the cloud and network attack protection, and the cloud-based ESET PROTECT console, to give your admins full, detailed network visibility, 24/7.