How to Protect Your Business Email From Being Compromised (BEC)

  • By Emmett
  • Jul 15, 2022

Business email compromise

Business email compromise or BEC, also known as email account compromise, can cost your business hundreds or thousands of dollars in lost revenue. Due to the essential role email plays in businesses of all sizes, this crime has become a significant priority for investigative agencies like the FBI. The best way to protect your business is to know the definition of the scam and learn its warning signs since both personal and private emails are at risk.

What is BEC?

Business Email Compromise (BEC) Definition: The criminal spoofing of a business or personal email address connected to a specific company to steal information or money.

A BEC scam will start as an email coming from what you believe is a trusted source, like a supervisor, coworker, or even a loved one. After gaining your trust, these scammers will attempt to retrieve login details or other information to gain privileged access to accounts or networks. People often see this in several forms, including:

  • Fake Links: BEC emails may contain a link claiming to redirect you to a website your company requires that you use. It could be the official website of your business, an internal intranet, or even a linked social media account. These spoofed sites include a login bar where you must enter your account details. Once entered, the criminals will take this information and impersonate you through whatever channels those credentials facilitate.
  • Malicious Downloads: Another common BEC tactic is for scammers to pretend to be a superior or coworker to get you to download malware. These malicious downloads allow cybercriminals to quickly infiltrate protected networks, falsify documents, and find further victims to contact. Malware can also open the door to higher-level spoofing scams, where criminals impersonate officers within a company who have access to higher-level accounts.
  • Spearphishing: By attempting emails to multiple victims within a single company, criminals will use spear phishing to try to net various sources of information all at once. The goal is to get company data, account details, or other sensitive information that can either be used for a ransomware scheme or to directly wire transfer money out of company accounts.

Due to the open-ended nature of spoofing and cybercrime, there are countless ways that a BEC scam can manifest itself within a business. By identifying the common signs and examples of this type of fraud, you can protect your company, coworkers, and yourselves from becoming victims.

Business Email Compromise Examples

There are five primary types of BEC fraud:

  • False Invoice
  • Account Compromise
  • Fake Legal Representation
  • CEO Impersonation
  • Data Targeting

Business email compromis prevention

Each BEC type has its own advantages and disadvantages for cybercriminals, and your business may encounter multiple versions depending on your industry, company size, and level of cybersecurity.

1. False Invoice

Many companies use suppliers overseas or 3rd party services where there is little in-person interaction between the business and the supplier. Since most of the payment and almost all invoicing is done online, it opens the company up to a BEC scam. By impersonating these foreign suppliers, scammers will send a false invoice tied to accounts they can access. Once the money is sent, they will withdraw the money, close the account, and erase as much evidence of their interactions as possible.

2. Account Compromise

The damage that can occur when an account becomes compromised depends on the employee's role within a company. If a lower-level staff member has their account hacked, scammers can only access any accounts or information that particular employee accessed. If a higher-level executive is hacked, on the other hand, scammers could get deep into a company's network. BEC fraud involving executives can also affect other companies your business works with, as the leaks contain contact information and sensitive account details connected to that account.

3. Fake Legal Representation

Many companies have legal representation in the case of litigation, but ones that don’t may be contacted regularly by attorneys or law firms looking to represent them. A BEC scammer impersonating a lawyer will usually target companies that have recently been the target of controversy, reaching out to see if they need any help dealing with whatever issues have arisen. Once they’ve convinced you they are trustworthy, they’ll use the supposed confidentiality associated with legal representation to gather privileged information. This can include financial data, client lists, supplier info, and many other details they can use to defraud your company.

4. CEO Impersonation

A common tactic BEC scammers use when targeting lower-level employees is CEO impersonation. This involves pretending to be a top-level executive during email communications and convincing a staff member they are communicating with the head of the company. Once the employee is convinced, the fake CEO will persuade them into sending money or information via email. One of the most frequently requested items is gift cards. A scammer will ask the employee to send them gift cards for some vaguely business-related purpose, which they can then use as a virtually untraceable form of currency. Unlike a credit card, getting refunded money from a gift card is much harder, even if it's determined the transaction was fraudulent.

5. Data Targeting

If a BEC scam targets a company's accounting or human resources department, they are almost always looking to harvest data. This data could relate to the financial accounts of the company, tax information of the employees, or personal data of the executives. Scammers use this information to either drain the bank accounts of the business or staff directly or hold the information ransom for a future fraud scheme.

What Should I Do If a BEC Scam Occurs?

If you have been the victim of a BEC scam, you should first report the incident to your company. They will help identify the information that is at risk and look at any accounts that could be affected. You should conduct a free identity threat scan if you believe your personal information has been leaked. These scans can help you see whether your data has been breached and whether or not you are at risk for identity theft.

About the Author
IDStrong Logo

Related Articles

How To Make Your IG Account Private

There are occasions when it makes more sense to have a private ig account. You might want to block ... Read More

Windows 10 Privacy Settings You Should Change Now

Privacy is a buzzword we hear a lot these days in the wake of data breaches, Wikileaks, and other ... Read More

How to Delete Your Facebook Account

It might seem absurd to some people who live on Facebook, deleting your Facebook account. But, man ... Read More

How to Change Network From Pubic to Private On Windows

Privacy has become a major concern for many of us after reading about all the data breaches, hacki ... Read More

Twitter Security and Privacy Settings Made Simple

With data breaches and ransomware intrusions in the news daily, privacy is the word on everyone’ ... Read More

Latest Articles

Misconfigured Database Spurs Theft of 63 Million OneMoreLead Records

Misconfigured Database Spurs Theft of 63 Million OneMoreLead Records

OneMoreLead, a business-to-business (B2B) marketing enterprise, suffered a significant data breach late last year. The marketing company left a database misconfigured, prompting the unintentional leaking of 63 million records. 

How to Prevent Data Loss from a Phone Scam

How to Prevent Data Loss from a Phone Scam

When you think of scams, you probably think of them as someone trying to trick you out of money. While data loss is typically not the primary goal of a scam, it can be the outcome.

UNM Health Data Breach

UNM Health Data Breach

The personal information of nearly 700,000 individuals was stolen in a data breach at the University of New Mexico Health. The data breach was revealed in the second half of 2021.

Featured Articles

How to Buy a House with Bad Credit

How to Buy a House with Bad Credit

Buying your own home is the American Dream, but it might seem out of reach to those with bad credit. However, the good news is, if your credit is less than perfect, you do still have options and in most cases, can still buy a home.

How Secure Is Your Password? Tips to Improve Your Password Security

How Secure Is Your Password? Tips to Improve Your Password Security

Any good IT article on computers and network security will address the importance of strong, secure passwords. However, the challenge of good passwords is that most people have a hard time remembering them, so they use simple or obvious ones that pose a security risk.

Top 10 Senior Scams and How to Prevent Them

Top 10 Senior Scams and How to Prevent Them

Senior scams are becoming a major epidemic for two reasons. First, seniors often have a lot of money in the bank from a life of working hard and saving.