Business email compromise – 5 scenarios

Since 2013, business email compromise (BEC) attacks have been behind losses of around $3.1 billion to more than 22,000 companies all around the world. According to the FBI, the average loss is $140,000 per scam and, since January 2015, these cyber threats have increased by 1,300%.

What is BEC? The FBI definition

“Sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The FBI identified five different methods by which the scam is carried out:

  1. The bogus invoice scheme
    A business in a long-standing relationship with a supplier is asked to wire funds for settling invoice payments to a fraudulent account. The scam begins with a phone call, fax, or email (in this last case, the con artists create a look-alike email similar to the supplier’s to reduce the chances of being spotted as fake).
  2. CEO fraud
    The CEO’s email account is spoofed or hacked, and a request to urgently transfer funds is sent to the employee who is responsible for processing these requests, or, sometimes, directly to the bank. It relies on employees executing orders from the top management without question. It is usually carried out under specific circumstances, such as when the CEO is out of office.
  3. Compromised employee’s email account
    An employee’s personal account – used both for personal and business communication – is hacked and exploited to send requests to a list of vendors identified from his or her business contact list asking for invoice payments to a fraudulent bank account. This scam is tricky to identify unless a vendor directly contacts the company about the payment.
  4. Attorney impersonation
    The con artists pose as lawyer or representative of a law firm. They contact either an employee or the CEO of the company via phone call or email, and claim to possess confidential information. They then push the target to act quickly or secretly in transferring funds. The scam usually takes place at the end of business days or weeks, when people are more vulnerable and ready to act quickly.
  5. Data theft
    An employee’s email account is hacked and used to send a request to another employee in human resources, asking not for money but for personally identifiable information (PII) or tax statements.

Watch out for BEC

Everyone is at risk of falling victim to this scam. The more you know about it, how it works, and how to recognize it, the more secure you are. With phishing emails in particular, if you know what to look at and what to check before clicking on any links, you will reduce your chances of putting yourself and your company at the mercy of criminals. Attend our Phishing Staff Awareness E-learning course from the comfort of your home or your desk to improve your ability to spot scams.

Sharpen your eyes to spot the bait with the Phishing Staff Awareness e-learning course >>

We offer cost-effective solutions for large organizations. Contact us on 1 877 317 3454 or email for further information.


Introductory offer: $0 per user for a year on any IT Governance e-learning course

To encourage you to discover and benefit from our e-learning courses we are offering you a year’s subscription to one of our courses of your choice for an introductory $0 per user, for as many users as you need, until 15 July 2016. Read more >>