Business Email Compromise (BEC): How Scammers Target Companies

How BEC differs from phishing

Standard phishing attacks use mass emails with obvious red flags (poor grammar, generic greetings). BEC attacks are highly targeted and sophisticated. Scammers research company structure, understand business relationships, and craft emails that perfectly mimic an executive's communication style.

CEO fraud (whaling)

An email appears to be from the CEO or executive requesting an urgent wire transfer. The email cites time sensitivity: "Complete this before end of business," "Needed for acquisition," or "Confidential—don't discuss with others." Employees comply quickly without verifying through normal channels.

Invoice manipulation

Scammers intercept or impersonate a vendor and send fraudulent invoices requesting payment. The invoice looks legitimate, includes company logos, and matches the vendor's format. Accounting departments pay invoices without additional verification.

Vendor impersonation

Scammers send emails appearing to be from a trusted vendor requesting payment for invoices. They create email addresses nearly identical to the real vendor (vemdor.com instead of vendor.com). Employees pay invoices that never existed.

W-2 phishing

An email appears to be from HR or the CEO requesting W-2 information (Social Security numbers, salary information) for all employees. Scammers use this information to file fraudulent tax returns or commit identity theft.

Wire transfer fraud

Emails request urgent wire transfers to new accounts or foreign banks. The urgency and authority (appearing from an executive) pressure employees to bypass verification procedures.

Credential harvesting

An email appears to be from IT or a service provider requesting account credentials for "system updates" or "security verification." Once obtained, scammers access company systems, steal data, or commit further fraud.

Account takeover

Scammers compromise an employee's or executive's email account through phishing or password attacks. Once inside, they send fraudulent emails to colleagues, vendors, and partners that appear completely legitimate.

Sender address anomalies

• Email from an external domain instead of company email
• Similar but slightly different spelling (ceo-name@company-name.com instead of @company.com)
• Free email addresses (Gmail, Yahoo) used by "executives"
• Spoofed emails appearing to be from known contacts

Message content red flags

• Unusual urgency or time pressure
• Requests for secrecy: "Don't mention this," "Keep between us"
• Unusual requests from normally routine transactions
• Wire transfer requests to unfamiliar bank accounts
• Requests for sensitive information (passwords, credentials, W-2 data)
• Executive tone different from their usual style
• Poor grammar or spelling (though sophisticated BEC attacks avoid this)

Process red flags

• Request bypasses normal approval processes
• Requests to skip vendor verification procedures
• Instructions to process payment immediately without review
• Request to use unusual payment methods
• New account information for a known vendor

Implement multi-factor authentication (MFA)

Require MFA for all email accounts, especially for executives and finance staff. This prevents attackers from accessing accounts even with stolen passwords.

Establish verification procedures

For any financial requests, always verify by calling the requester back using a known phone number (not from the email). Never use contact information from the email itself. For vendor payments, verify new account information through a separate communication channel.

Segregate financial duties

Never allow one person to approve and process payments. Require at least two people: one to approve, one to execute. This prevents a single compromised employee from causing damage.

Use email authentication protocols

Implement SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication) to prevent email spoofing. These make it harder for attackers to impersonate your company.

Train employees on BEC threats

Regular security training helps employees recognize BEC attacks. Educate staff about the specific risks they face and the verification procedures your company uses.

Create a fraud reporting system

Establish a simple process for employees to report suspected fraud. Make reporting safe and anonymous so employees feel comfortable alerting leadership to threats.

Monitor email for red flags

Use email filtering software to flag suspicious emails (spoofed addresses, external senders requesting payments, etc.). This catches many attacks automatically.

Implement account restrictions

Limit what compromised accounts can do. For example, temporarily restrict email forwarding rules, disable automatic replies, and flag unusual account activity.

Stop and verify

If you receive a suspicious email requesting payment, credentials, or sensitive information, stop immediately. Call the person at a number you know is correct (from the company directory or website, not from the email) and verify the request.

Report to IT and security

Alert your IT department and security team immediately. If an account has been compromised, they need to secure it. If wire transfers were made, they need to contact the bank immediately to try to recover funds.

Reset compromised accounts

If an employee's account has been compromised, reset their password immediately and force them to log out from all sessions. Require them to change passwords on other accounts that share the same password.

Contact your bank immediately

If funds have been transferred, contact your bank or financial institution immediately. Many fraudulent transfers can be stopped or reversed if reported quickly enough.

Report to law enforcement

Report BEC attacks to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. Provide details about the attack, any funds lost, and the email addresses/accounts used.