How do BEC Scams Work? Key Takeaways |
|
Business email compromise (BEC) is a cyber fraud where criminals impersonate trusted contacts such as executives or suppliers. Their goal is to trick employees into transferring funds or revealing sensitive data. In July 2024, a Singapore commodity firm lost USD 42.3 million in a BEC attack. Fraudsters altered a supplier’s email and redirected payments to a fake account. Thanks to INTERPOL most of the money was recovered.
What is Business Email Compromise (BEC)?
Business email compromise (BEC) is a cyber fraud scheme where criminals use email account compromise or spoofing to impersonate trusted contacts. The target is often an employee’s email account in the company’s finance department. Attackers then trick staff into authorizing wire transfers or sharing sensitive data.
Trustpair blocks the financial effects of BEC thanks to ongoing account validation and authentication. All suspicious transactions are blocked and risky data changes are spotted. Request a demo to learn more!
How do BEC scams work?
BEC scams work in different ways. Generally, a fraudster can hack into an email or use malware to navigate company networks and infiltrate email threads.
Once the fraudster has access to the email threads using malware, an attack may not occur until much later. They may spend some time observing email chains to see which employees are in charge of money, invoices, transactions, and more.
Additionally, they may pick up on words or trends that employees use in emails. This is so that later down the line if they are to send an email on behalf of an employee, they can make it seem genuine.
Once they have gathered the information they need, the fraudster may ask for payments to be made to accounts which they control.
Alternatively, fraudsters may use a spoofed email address of a fake company that is very similar to the email address of a senior figure in the company. From there, they may make demands to those in charge of payroll to redirect funds to a different account.
Reported BEC scam losses have increased by 58% since 2020.
What are the types of Business Email Compromise Attacks?
| Type of BEC Attack | Description |
|---|---|
| Data theft | This is usually the first step of BEC fraud or can lead to other types of fraud further down the line. It can occur to the HR department where schedules are stolen to get a better picture of the person who is being defrauded. Alternatively, personal data or sensitive information could be stolen by the scammers to get one up on senior figures in a scam down the line. |
| CEO fraud | The attacker may pose as a CEO or a senior figure and ask for a payment to be transferred to a bank account operated by the hacker. |
| Account compromise | A member of the finance department may be a target and have their email hacked and the scammers could encourage payments to vendors to a new bank account that is run by the hackers. |
| Vendor email compromise | The criminals may pose as the vendors and ask for their funds to be sent to an attacker-owned bank account and claim their usual account is down. Alternatively, they may use a fake invoice that has similar details to the original vendor account to gain the funds. |
| Attorney impersonation | Attackers can and will hack into a lawyer’s email address and claim that clients have to pay through a link or they are sent a fake invoice that has the details on of a scammer-controlled bank account. |
What are BEC examples?
Facebook and Google
The most renowned example of a BEC cybersecurity scam was in the form of a vendor email compromise (VEC) attack on Facebook and Google between 2013 and 2015.
The organizations lost around $121 million between them. Fraudsters impersonated Quanta Computer which both giants have done business with.
The scammers used the fake company under the same name as Quanta Computer, false invoices, fake contracts, and letters to confuse the organizations and dupe them into paying out tens of millions to accounts run by the scammers.
One Treasure Island
The nonprofit based in San Francisco fell victim to a business email compromise attack in 2021.
Hackers gained access to the bookkeeper’s email. Using spoofed email addresses, they inserted themselves into the email chains and pretended to be figures involved with the nonprofit.
They then found and adjusted an invoice from a member organization that had been sent to the executive director of One Treasure Island. The new invoice contained altered wire transfer instructions to a bank in Texas.
The organization lost $655,000 in the fraud attack.
BEC red flags
Here are some of the red flags of business email compromise and ways your business can prevent it…
By being aware of these methods and how you can combat them, your business can avoid:
- Financial damage
- Reputational damage
- Data leaks
Grammatical errors
If an email from a senior member of staff is littered with simple grammatical errors that they wouldn’t usually make, this should raise suspicions.
If you aren’t sure that it is legitimate, you should ring the employee or go and see them to double-check before making any transfer or payment.
Time sensitivity
If a member of your team receives an email or a text message from another colleague requesting an urgent transfer this should raise alarm bells.
It may be that a sender describes a serious situation such as they need their salary paid early to help with a family medical bill or that a vendor needs to be paid quickly into a new account to secure their business. These are social engineering techniques that are used to complete BEC attacks.
Either go and see the member of staff or ring them to check this is genuine. By making the situation urgent the fraudster hopes that you would either overlook usual procedures to help them get it done or forget about the correct process.
Employees should be educated about the red flags of fraud such as business email compromise and to always step back from the situation and think logistically about it.
Unusual requests
An unusual request that a member of staff may be asked to do involve:
- Being asked not to speak with other employees about the transfer
- To ignore normal methods – this may involve disregarding the normal process and instead sending a wire transfer
- To communicate over text rather than email – staff should have access to work phone numbers anyway. Scammers do this as texts can feel more reliable than emails
Suspicious email addresses
A type of business email compromise involves phishing emails. By using a deceptively similar email address to what staff members already use or an incomplete email address, fraudsters may try to get staff to redirect funds into an account controlled by them.
How to Prevent BEC Cybersecurity Attacks?
Preventing business email compromise (BEC) requires a mix of staff training and stronger email security measures. Companies that overlook these steps risk falling victim to BEC scams, account compromise, and fraudulent wire transfers.
Training
Employees should be trained to spot suspicious emails, urgent requests, and phishing attack attempts. They must know how to respond if an employee’s email account is compromised or if attackers try to trick employees into transferring money. Security awareness programs reduce the risk of revealing sensitive information or login credentials during BEC attempts.
Use a fraud prevention platform
Organizations can prevent BEC attacks by adopting fraud prevention tools. Platforms like Trustpair monitor financial transactions, validate vendor bank account details in real time, and block fraudulent accounts before money is sent. This closes gaps left by compromised accounts and strengthens overall email security.
With BEC attackers launching increasingly sophisticated schemes, businesses need proactive measures. Combining employee awareness with advanced verification tools provides the best defense against future attacks.
Recap
BEC cybersecurity attacks involve fraudsters gaining access to an email address or using a spoofed email to redirect funds or gain valuable information. Alarm bells should ring if the emails contain grammatical errors, unusual requests, and suspicious addresses. Companies should educate and train staff about BEC scams and use fraud detection software like Trustpair.