The average business uses email for everything from customer support to human resources. It follows that when a cyberattack targets a business, email is a logical place for it to start. One example of this is the Business Email Compromise (BEC) scam.

A BEC scam uses a mix of social engineering and misdirection to encourage employees to start sending wire transfers to complete strangers. Naturally, it’s also one of the most expensive scams that a business can fall victim to.

So what exactly is the BEC scam, and how does it work? How can you avoid falling victim to one?

What Is the Business Email Compromise (BEC) Scam?

key security private

A BEC scam is when an attacker uses an email to impersonate somebody else in an attempt to extract a wire transfer or other resource from a business.

It is also known as the Man-in-the-Email scam. BEC scams are similar to Man-in-the-middle attacks in that they both rely on the victim believing that they are communicating with somebody else.

BEC scams are effective because the victim usually has a previous relationship with the person being impersonated.

They are also a widespread problem. The FBI reported that BEC scams cost US businesses $1.8 billion in 2020 alone.

How Does a BEC Scam Work?

email pointing business

First, the attacker chooses a company to target. They might hit a specific industry or choose a company that simply has poor security.

They will then research that company thoroughly using publicly available information such as the business' website and/or social media accounts.

During this stage, they are primarily looking for people to impersonate. But they are also trying to find out how a company operates and therefore what kind of tactic might be successful.

Once they’ve decided who to impersonate, they will either hack that person's email account or use domain spoofing to create an email address that looks highly similar.

The final step is to use that email account to elicit a wire transfer or some other favorable response. Potential targets include employees, customers, and suppliers.

Who Is Targeted by BEC Scams?

A BEC scam can happen to just about any business. While attacks on large businesses have the potential to be more profitable, attacks on smaller businesses are generally easier to carry out.

Provided a business is successful enough for cash to be moving in and out each month, the threat of a BEC is very much real.

Examples of BEC Scams

There are a number of different BEC scams. Most, however, will fall into at least one of the following categories.

CEO Fraud

This type of BEC scam involves an attacker impersonating a business owner or CEO. The attacker will then contact somebody lower down in the company and demand that a wire transfer or other type of payment be made.

Account Compromise

BEC scams aren’t limited to high level employees. Just about any employee can have their email account hacked and subsequently used without their knowledge. Financial crimes can then be committed under the hacked business' name.

Bogus Invoices

A business can fall victim to a bogus invoice scam in two ways. They might receive such an invoice requesting payment from a supposed supplier. Or an employee email account might be used to send one to a customer with altered bank details. These attacks are most often targeted at businesses that operate globally.

Attorney Impersonation

By pretending to be a lawyer, attackers contact employees to both request payment and put pressure on a recipient to respond to other emails.

Data Theft

Some BEC scams are designed to steal data rather than cash. The information stolen can then be sold on or used for everything from blackmail to additional BEC attacks.

How to Avoid BEC Scams

email security private

The perpetrators of BEC scams rely heavily on the fact that many businesses are either unaware of their existence or are completely unprepared for their occurrence.

Here are a few tips for ensuring that your business isn’t one of them.

  • Train employees: If an employee uses email as part of your business, they should be made aware of BEC scams. Training should also be provided that discusses both phishing and social engineering.
  • Change how emails are handled: Protocols should be established for the use of email. For example, attachments should be handled very carefully, email addresses should always be double checked, and emails should always be forwarded instead of replied to (this ensures that email addresses are typed in manually).
  • Use custom email: Free email accounts are convenient but they are also ideal for those who want to start a BEC scam.
  • Register similar domains: Register domains that are similar to that of your business. This will prevent attackers from doing so and trying to impersonate you.
  • Don’t overshare: Avoid sharing unnecessary details about your business online. Many of the details required for a BEC attack can often be found on a company's social media page.
  • Use strong passwords and 2FA: Strict password regulations and the enforcement of two-factor authentication (2FA) will make it much more difficult for your business email accounts to be hacked.
  • Use antivirus software: This is the easiest way to prevent malware-based BEC scams. Antivirus can be used to prevent both keyloggers and some forms of phishing.
  • Always verify payments: Make it a standard operating procedure to verify the details of wire transfers before they happen. For example, require all employees to certify payments over the phone (using a number that's been double checked).

Protect Your Business From BEC Scams

As the frequency of BEC scams continues to rise, it’s becoming increasingly important for companies to recognize the threat that they pose. Any business, regardless of size, can fall victim to such an attack. And given the high average cost, it’s not something that most can afford to take lightly.

The steps taken to avoid such an attack are largely straightforward. And half the battle is simply knowing that such attacks can happen and that they do so frequently.