Learn
How to Recognize Business Email Compromise Scams (BEC)
In a Business Email Compromise (BEC) scam, a fraudster sends an email — from an address that appears to be real — to someone in the target organization. The email usually directs the recipient to wire a large payment to an account the scammer owns. BEC scams are a growing fraud problem. Just how big a problem? According to the Microsoft Cyber Signals report, there were more than 35 million BEC attempts in the last year.1 BEC scams cost businesses an average of $4.67 million and are the second most expensive cyberattack after those committed by malicious insiders.2
How is an email address compromised?
Fraudsters infiltrate the companies’ email systems to steal data, including contact information, schedules, and even travel plans. They then use this information to manipulate employees, executives, and even suppliers with a scheme.
There are five common types of BEC scams.
You might think BEC scams would be easy to detect. After all, most organizations protect their networks and systems. But fraudsters are determined and work hard to expose and exploit weaknesses.
BEC attacks are effective because they are usually part of a long-term plan. Criminals select specific organizations and learn what they can about its executives, suppliers and procedures from public information.
The simplest tactic in BEC scams is to embed an infected link on which the recipient will click and enter sensitive information. There are five common schemes, each with its own goal and approach.
- Data Theft
Human resource staff members are usually the targets of data theft attacks. The hackers hope to obtain information with which they can launch further BEC scams, particularly against company executives. - CEO Fraud
In this scheme, an employee in the financial department receives a legitimate-looking email that appears to come from the company's CFO, CEO, or another executive asking for an immediate transfer of funds. In some cases, the fraudster may send the email directly to the financial institution. It may contain some valid information and even resemble language commonly used by the company or executive to make it appear legitimate. However, the funds will be diverted to a fraudulent account. Because the executive is usually unavailable to verbally confirm the wire transfer (the fraudster has checked their schedule), the money is gone before anyone in the organization realizes it was a scam. - Account Compromise
After hacking into an employee’s email account, criminals send vendors payment requests. Any payments will go to fraudulent accounts. - False Invoice Scheme
This scam, preys on established supplier relationships – usually foreign. The victims may receive spoofed emails, faxes or phone calls from entities posing as established suppliers asking them to wire payments to a fake account. - Attorney Impersonation
In this scheme, criminals pretend to be attorneys and either call or email employees or executives regarding fictitious urgent, confidential matters. Their goal is to pressure victims to quickly wire funds to their fraudulent accounts.
Which industries are most targeted for BEC scams?
While scammers don’t limit the types of businesses they attack, some industries are targeted more often than others. According to the FBI, real estate companies experienced 2,284 attacks with losses of $446.1 million in 2022.3 Fraudsters hack into the email accounts of buyers, sellers, attorneys, agents and title companies where they can track the status of transactions. With this information they can request payment or bank account changes, diverting funds to fraudulent accounts.
Other industries that are popular targets for social engineering and hacking include:4
- Information
- Finance
- Manufacturing
- Public Administration
- Retail
Professional (including attorneys in areas other than real estate), Technical and Scientific Services are also heavily targeted.
How do I protect my business email from compromise?
Fraudsters rely on disruption and employees’ inattention to detail to succeed. They may launch attacks during very busy or holiday seasons, or when key staff are out of office. That is why establishing effective security procedures and employee awareness and training is so important.
- Be skeptical.
Most email scams include a sense of urgency. Be suspicious of any unplanned requests for money that must happen immediately, as well as transactions that require secrecy from other executives in the organization. Legitimate business transactions should always allow time to secure appropriate verification and approval. - Review existing procedures.
Establish firm policies for approving unexpected payments or wire transfers, such as requiring confirmation for the transaction through a means other than email. For example, you might require the employee to call the executive on a known, non-published phone number – not one provided in the company directory – before initiating the payment. Ensure company executives are on board with these policies and agree not to discipline employees who refuse to make exceptions. - Include checks and balances.
Don’t assign staff responsibility for both payables and receivables. Only grant access to sensitive data on a “need-to-know” basis. When possible, require more than one approval for large payments and transactions. - Use a code word.
Adding a question that must be answered or a code word before a transfer can be processed is just another level of security that helps establish identity. It also prevents the scammer from calling in with a spoofed number and posing as the executive. Never use the code word in an email, only over the phone. - Train your staff.
Inform all employees, especially those with financial authority, about BEC scams. Fraud techniques are continually evolving, so security awareness training is not a one-time event. It should be ongoing for timely responses to emerging threats.
Get help to prevent and remedy fraud.
The best way to prevent BEC scams is to recognize them, prevent them and develop a plan for managing them if they occur. The FBI, data security providers and trade associations are excellent resources for learning how to identify scams and protect your business. You should also consider whether to purchase cybersecurity insurance which can help cover costs related to a breach.
Act quickly if you become a victim.
Immediately contact your financial institution if you are involved in a BEC scam. You can also file a report with the FBI's Internet Crime Complaint Center (IC3). Your bank and the FBI may be able to recover stolen funds if you notify them early enough.
If you think only large companies are at risk for BEC scams, think again. Attacks against small to medium businesses increased by 145% last year.5 BEC scams are a threat to companies of all sizes. Be sure you know what to look for and how to respond.
Our banking professionals can assist with your business financial needs. If you’d like to learn more visit your local branch or call 1-888-SYNOVUS (1-888-796-6887).
Important disclosure information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
- Microsoft, “The Confidence Game: Shifting Tactics Fuel Surge in Business Email Compromise,” 2023 Back
- IBM Security, “Cost of a Data Breach Report,” 2023 Back
- Federal Bureau of Investigations, “Business Email Compromise: The $50 Billion Scam,” June 9, 2023 Back
- Verizon, “2023 Data Breach Investigations Report,” May 26, 2023 Back
- InfoSecurity Magazine, “BEC Attacks Surge 81% in 2022,” February 8, 2023 Back