Overview
Business Email Compromise (BEC) is one of the costliest forms of cybercrime. According to Europol and the FBI, BEC causes billions in global losses annually. The UK NCSC and Australia's ACSC have issued similar warnings about its rapid growth. Attackers compromise or spoof corporate email accounts to trick employees, vendors, or partners into making fraudulent wire transfers or sharing sensitive information. Unlike mass phishing, BEC attacks are highly targeted and often involve extensive research into the target organization.
How This Scam Works
Attackers compromise an executive's email account through phishing or credential stuffing, then use it to send fraudulent requests to employees.
Email spoofing creates messages that appear to come from the CEO, CFO, or a trusted vendor, requesting urgent wire transfers or sensitive data.
Vendor email compromise involves hacking a supplier's email to send fake invoices with updated payment information.
Payroll diversion schemes redirect employee direct deposits to criminal accounts by impersonating employees through HR email requests.
Warning Signs
Real Scam Examples
These are examples of messages used in this type of scam.
Hi [CFO Name], I need you to process a wire transfer of $125,000 to complete a confidential acquisition. This is time-sensitive and cannot wait until Monday. I am traveling and unreachable by phone. Please process immediately and confirm by email.
Hello, This is to inform you that our banking information has changed. Please update your records with the new account details below for all future payments. Invoice #4827 for $67,450 is due this week.
How to Protect Yourself
1Implement verification procedures
Require phone verification for all wire transfers, payment changes, and sensitive data requests using known contact numbers, not numbers provided in the suspicious email.
2Use multi-factor authentication on all email accounts
MFA prevents attackers from accessing email accounts even if passwords are compromised through phishing.
3Deploy email authentication protocols
Implement SPF, DKIM, and DMARC to prevent email spoofing and flag messages from unauthorized senders.
4Train employees regularly
Conduct regular BEC awareness training with realistic phishing simulations. Ensure all employees, especially those in finance and HR, understand BEC tactics.
Frequently Asked Questions
Think you have received a scam like this?
Paste the suspicious message into our free AI-powered scam analyzer.
Related Resources
Phishing Attacks: The Complete Protection Guide
Phishing is the most common type of cyberattack, responsible for over 90% of data breaches. These attacks use deceptive ...
Wire Transfer Fraud: Protecting Your Money from Wire Scams
Wire transfer fraud causes billions in losses annually because wire transfers are fast, irreversible, and difficult to t...
Identity Theft: Prevention, Detection, and Recovery
Identity theft occurs when someone uses your personal information without permission to commit fraud or other crimes. It...
GCR Scam Guard
Related Online Scams resource
PayPal Scam Guide
Related Online Scams resource
Amazon Scam Guide
Related Online Scams resource