According to the 2024 FBI Internet Crime Report, Business Email Compromise losses totaled $2.77 billion, making Business Email Compromise (BEC) one of the fastest growing and costliest cyber threats facing businesses today.
Fraudsters impersonate legitimate contacts, including executives, vendors, or partners to trick employees into sending money or sensitive data. Awareness and preparation are your best defenses.
What is Business Email Compromise?
Business Email Compromise (BEC) is a form of cybercrime where attackers use social engineering and spoofed or hacked emails to impersonate trusted parties. Their goal? Convince you to wire funds or share confidential information.
Common scenarios include:
- CEO Fraud: An attacker poses as the CEO and sends an urgent email to the finance team requesting a wire transfer.
- Vendor Spoofing: A fake invoice is sent from what appears to be a regular vendor, with new payment instructions.
- Account Compromise: A real employee’s email is hacked and used to request changes to payroll or billing information.
These scams are timed strategically—often around holidays, quarter-end closings, or leadership travel—when employees may be rushed or distracted.
How to Prevent BEC
Employees are your first line of defense. Prevention starts with awareness and layered defenses. Here’s how you can reduce your risk:
- Train employees regularly: Ongoing cybersecurity awareness training helps your team spot red flags and think critically before clicking.
- Mark external emails clearly: Configure your email system to display a banner or tag at the top of all messages received from outside your organization. Change the look often so employees don’t get used to it and start ignoring it.
- Enable Multi-Factor Authentication (MFA): This simple step dramatically reduces the chances of email accounts being compromised.
- Verify payment requests: Always confirm changes to vendor payment details or payroll information by calling a known contact using a verified phone number.
- Set internal controls: Require dual approval for large transfers and limit who can authorize payments.
- Keep systems updated: Ensure all devices are running the latest software and have strong endpoint protection in place.
- Limit public information: Be cautious about what you share on your website or social media—criminals use these details to craft believable scams.
How to Spot a Compromised Email
BEC emails are often well-written and look legitimate, but subtle clues can reveal their true nature. Here are red flags to watch for:
- Misspelled or unusual sender addresses: An email might come from “[email protected]” instead of yourcompany.com.
- Urgent or secretive requests: “I need this wire processed within the hour. Don’t tell anyone until it’s done.”
- Unusual timing or tone: An executive who rarely emails the accounting department suddenly requests a transfer late on a Friday.
- Request to change financial information: Always confirm these requests through a trusted communication channel or in-person.
- Suspicious attachments or links: Don’t open attachments or click links unless you are 100% sure they’re safe.
Encourage employees to trust their instincts—if something feels off, it’s worth checking.
What to Do If It Happens to Your Business
If you suspect a BEC attack—whether successful or attempted—take immediate action:
- Cease communication with the suspected fraudster.
- Alert your IT team or cybersecurity provider to investigate and secure your systems.
- Notify your bank right away. If money has been transferred, the sooner you act, the better your chances of recovery.
- Report the incident to the FBI’s Internet Crime Complaint Center (IC3): https://www.ic3.gov
- Preserve all related emails, headers, and data to assist with the investigation.
- Review and strengthen your security policies to avoid repeat incidents.
BEC attacks are becoming more sophisticated, but with vigilance and strong security practices, your business can stay protected. Education is the first step.
FDIC-Insured – Backed by the full faith and credit of the U.S. Government
