<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Mira Aslanova

By: Mira Aslanova on December 24, 2024

Print/Save as PDF

What Is Business Email Compromise? How To Spot And Avoid Its Traps

Cybersecurity | Business Continuity | Information Security

Cyber thieves are increasingly setting their sights on new targets within businesses: C-suite executives and other high-profile employees.  

Business email compromise (BEC) is a growing social engineering threat in which digital predators impersonate business executives or trusted partners to trick individuals into sending money or providing sensitive account or business information.  

There are lots of different variations of this kind of phishing attack. But the end result is the same: financial losses that could cause significant, even catastrophic, damage to businesses of all sizes.   

BEC scams have resulted in an estimated $55.5 billion in collective losses over the last decade, with the global problem expected to only grow, according to the FBI’s Internet Crime Complaint Center (IC3).  

In 2023, about 21,500 BEC scams resulted in more than $2.9 billion in adjusted business losses, making it the second-costliest type of crime behind investment schemes, according to IC3.  

According to research from Nationwide Insurance, 22 percent of small businesses and 14 percent of middle market businesses have fallen prey to a BEC scam.  

After reading this article, you will have a complete understanding of what business email compromise is. You'll also learn the steps you can take to avoid falling victim to this growing cyber threat.  

How Do Business Email Compromise (BEC) Scams Work? 

Business email compromise is a high-stakes, digital game of cat and mouse. It is more cunning and sophisticated than many other kinds of cyber attacks because it involves carefully grooming victims over time to develop implicit trust.  

BEC is a multi-layered scam using several different tactics to trick an executive or other employee to send money or share sensitive information.  


Related Article: Why Employee Security Awareness Training Helps Prevent Cyber Incidents


Common Actions Taken In A BEC Scheme 

Step 1: Target identification and background gathering 

Cyber criminals start by identifying their potential victim within a business—usually someone with access to financial accounts.  

Then, they take a deep dive into the target’s digital footprint, scouring social media and online resources like LinkedIn, Facebook, Instagram, and Google to learn more about the individual and the organization.  

Step 2: Malware attack 

Cybercriminals often use spoofed emails to launch a malware attack to gain entry into your IT systems. The goal is to get the victim to click a malicious link or download an infected file to allow hackers to steal the person’s usernames and passwords to gain unauthorized access.  

Once inside, these adversaries can launch an undetected malware attack to study an employee’s email communications and habits and gather inside information.  

Step 3: Trust building deception  

Hackers use the information they’ve gathered online and within your IT network as the basis for a ruse to initiate contact through a spear-phishing email or phone call that disguises the hacker’s true identity. 

Step 4: Fraudulent request 

At this point, the attackers, confident in the trust level they have developed, ask the targeted individual to take some action, such as transfer a large sum of money from a regularly used account into a new account, reveal sensitive customer or employee information, or share proprietary business data.  


Related Article: Personally Identifiable Information: 10 Steps To Ensure Data Privacy


The targeted employee doesn’t second-guess the request because they believe it’s coming from a legitimate business source——a supplier, partner, supervisor, or senior-level company official. In fact, business executives themselves can become BEC targets.   

The cybercriminal may then follow up with additional emails or phone calls from the impersonated account to create a sense of urgency to pressure the employee to take immediate action without verifying the funds transfer request.

Key BEC Threat Indicators: 6 Red Flags To Watch For

1. Account confirmation 

BEC scams will often begin with a malicious email asking the employee to confirm financial account or personal information. 

2. Suspicious email address 

If they haven’t yet gained access to your internal IT systems, hackers may use a backdoor workaround by using a fake email that is a close, but not exact, match to an executive’s real email address.  

3. Grammatical, syntax, or spelling mistakes 

Fake emails from cyber criminals may contain misspellings, poor grammar or sentence structure, or formatting issues. 

4. Generic greetings  

Without a specific contact name, hackers often use generic greetings such as “Dear User” or “Dear Valued Customer.” 

5. Malicious hyperlinks  

Harmful links inserted into these fake emails can give hackers an opening into your IT network.  

6. Extreme urgency 

The fraudulent emails will often present a convincing sense of urgency and may even threaten to take legal action or leak sensitive information if the employee doesn’t act quickly.  


Related Article: Why You Need An Incident Response Plan Before A Cyber Incident Happens


What Are The Best Ways Businesses Can Prevent A BEC Attack?

Because of the increasing sophistication with which BEC attacks are being done, traditional security controls like antivirus and anti-malware software aren’t enough.  

Here are some ways you can safeguard your business from a BEC cyber attack:  
  • Create strong passwords or passphrases. Password security is critical to prevent unauthorized access of your personal information, finances, and electronic accounts.  
  • Establish clear policies and procedures about disclosing sensitive account or business information over the phone, via email, or on social media.  
  • Verify that the hyperlinks and URL in emails belong to the business or individual it claims to be from by hovering over the link and checking the URL and domain name.  
  • Confirm that an email address or phone number is legitimate and comes from a genuine source. 
  • Monitor financial accounts regularly for any irregularities. 
  • When possible, verify requests for payments, purchase orders, or sensitive information in person or—at the very least—outside of email communication.  
  • Use two-factor authentication or other secure methods to validate requests for account updates such as changing account names and numbers.  

What's The Bottom Line In Avoiding Falling For A BEC Scam?  

After reading this article, you now have a more complete understanding of what business email compromise is, how to spot it, and best practices to avoid falling prey to a BEC phishing scheme.  

As we mentioned earlier, traditional security measures such as firewalls or antivirus and anti-malware software won’t prevent a BEC attack since hackers capitalize on human emotions as a work-around to carry out the scheme.  

One advantage of using a managed IT service provider (MSP) is that they can implement robust security solutions to help safeguard your IT systems, including advanced network monitoring, multi-factor authentication, email monitoring software, employee security awareness training, and email filtering and anti-phishing tools.   

We realize, however, that managed IT support is not the right fit for every business.  

If you’re a small business with fewer than 10 employees, or you have an existing team of IT professionals who have the time and resources to devote to implementing these and other security measures, then you likely wouldn't benefit from using an MSP. 

On the other hand, if you're considering external managed IT services, we urge you to do your research on several providers to find one that’s best suited for your business.  

Regardless of whether or not you choose to work with Kelser, we are committed to providing honest, straightforward information in articles like this that you can use to keep your business running securely and efficiently. 

Unsure if your organization’s security tools are up to the latest cyber threats? Click the link below for a free checklist you can use to:  

✔️Understand where your organization's cybersecurity policy needs improving 
✔️Learn five best-practices and actions you can take to keep your organization's data secure 
✔️Help ensure your organization follows the latest cybersecurity best practices 

Get your free cybersecurity checklist now, so you can take action against the latest cybersecurity threats and keep your business safe.

 Get Your Cybersecurity Checklist

About Mira Aslanova

Mira Aslanova is the Cybersecurity and Compliance Manager at Kelser Corp. Her mission is to protect businesses from evolving threats while ensuring adherence to relevant compliance regulations and policies. With extensive experience managing cybersecurity for complex systems, she has helped organizations secure the certifications and approvals required for safe and secure operations. Her expertise makes her a trusted partner in navigating the challenges of cybersecurity and compliance.

Suggested Posts

Visit Our Learning Center