Business email compromise (BEC) defined:

Business email compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The culprit poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam. BEC scams are on the rise due to increased remote work—there were nearly 20,000 BEC complaints to the FBI last year. Email is the starting point for 91% of cyberattacks. Dubbed by the FBI as the $26 billion scam, Business Email Compromise (BEC) attacks come with an average cost of $5 million per breach according to the 2021 IBM Cost of Data Breach Report.

If a business email compromise attack is successful, your organization could:

  • Lose hundreds of thousands to millions of dollars.
  • Face widespread identity theft if personally identifiable information is stolen.
  • Accidentally leak confidential data like intellectual property.

As BEC schemes evolve, so do threat protection strategies. In fact, Microsoft blocked 32 billion email threats last year.


Free For A Limited Time
We Want To Give You A Free Cyber-Security Risk Assessment That Gives You The Answers You Want And The Certainty You Need

How do BEC scams work?

In a BEC scam, the attacker poses as someone the recipient should trust—typically a colleague, boss, or vendor. The sender asks the recipient to make a wire transfer, divert payroll, change banking details for future payments and so on.

BEC attacks are difficult to detect because they don’t use malware or malicious URLs that can be analyzed with standard cyber defenses. Instead, BEC attacks rely on impersonation and other social engineering techniques to trick people interacting on the attacker’s behalf.

Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is difficult and time consuming.

Because BEC focuses on human frailty rather than technical vulnerabilities, they require a people-centric defense that can prevent, detect, and respond to a wide range of BEC techniques.


Types of business email compromise scams

The FBI defines 5 major types of BEC scams:

  • Data theft

Sometimes scammers start by targeting the HR department and stealing company information like someone’s schedule or personal phone number. Then it’s easier to carry out one of the other BEC scams and make it seem more believable.

  • False invoice scheme

Posing as a legitimate vendor your company works with, the scammer emails a fake bill—often closely resembling a real one. The account number might only be one digit off. Or they may ask you to pay a different bank, claiming your bank is being audited.

  • CEO fraud

Scammers either spoof or hack into a CEO’s email account, then email employees instructions to make a purchase or send money via wire transfer. The scammer might even ask an employee to purchase gift cards, then request photos of serial numbers.

  • Lawyer impersonation

In this scam, attackers gain unauthorized access to an email account at a law firm. Then they email clients an invoice or link to pay online. The email address is legitimate, but the bank account isn’t.

  • Account compromise

Scammers use phishing or malware to get access to a finance employee’s email account, such as an accounts receivable manager. Then the scammer emails the company’s suppliers fake invoices that request payment to a fraudulent bank account.


Who do BEC attacks typically target?

Anyone can be the target of a BEC scam. Businesses, governments, nonprofits, and schools are all targeted, specifically these roles:

  • Executives and leaders, because details about them are often publicly available on the company website, so attackers can pretend to know them.
  • Finance employees like controllers and accounts payable staff who have banking details, payment methods, and account numbers.
  • HR managers with employee records like social security numbers, tax statements, contact info, and schedules.
  • New or entry-level employees who won’t be able to verify an email’s legitimacy with the sender.

Recorded business email compromise (BEC) attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security.

It found the median open rate for text based BEC emails during the second half of 2022 was 28%. More worrying still, it revealed that 15% of read malicious emails were replied to by corporate employees.

Employees at all levels of an organization engage with BEC emails, but 78% of entry-level sales staff read and replied to these malicious missives, the report found.

Abnormal Security also revealed a concerning lack of reporting to security teams: just 2% of known attacks were flagged.

BEC attacks increasingly target smaller companies. The report noted a 145% increase in malicious emails aimed at SMB inboxes.


Let’s look at a real-life example:

Facebook and Google: $121m BEC scam

Considered to be one of the biggest BEC scams to date, this elaborate BEC attack resulted in $121 million in collective losses for both tech giants. The attack occurred between 2013 and 2015 and its’ perpetrator Evaldas Rimasauskas, was sentenced to five years in prison. The attack itself is a typical False Invoice Scheme – the attackers set up a fake company (Quanta Computer) that impersonated a real-life hardware supplier, then proceeded to present the two tech companies with convincing invoices and counterfeit lawyers’ letters and contracts to ensure that once the funds were paid, the bank would accept the stolen capital.

This is probably one of the most important BEC attacks to date because it teaches us a valuable lesson – if two of the world’s biggest tech companies lost millions of dollars over a two-year period, it could happen to any business. It could happen to you!


Diving deeper into the numbers:

First discussed in the 2015 Internet Crime Report, business email compromise (BEC) was the leading cause of financial losses for seven straight years. And while it was dethroned by investment fraud in the most recent report, these attacks were still responsible for $2.7 billion in total losses in 2022—a year-over-year increase of 14.5%.

The FBI IC3 identified $51 billion in exposed losses due to business email compromise from 2013 to 2022—an increase from previous estimations.

The American public submitted 791,790 complaints in 2020, a 69% increase from 2019. (Source: FBI) In 2020, BEC scammers made over $1.8 billion, more than any other type of cybercrime.

Over the past five years, losses from BEC attacks have more than doubled, growing by a staggering 111% between 2018 and 2022. And in the eight years since the FBI IC3 began reporting on BEC, total losses have risen by more than 10x.

Additionally, the average amount lost per BEC attack was higher in 2022, at just over $125,600—a 300% increase since 2015.


Phishing is Once Again the Most Common Cybercrime

In terms of total losses, phishing falls squarely in the bottom third of all attack types tracked by the IC3. However, what organizations must remember is that phishing is frequently just the first step in a variety of crimes.

Its success as a “foot in the door” tactic is likely why phishing has been the most common cybercrime reported to the IC3 since 2019.

And as threat actors have continually found new ways to make phishing attacks more convincing, the number of victims has steadily increased since 2019, only slightly declining between 2021 and 2022.


Reacting to a Fraudulent Transfer

If an employee at your organization has already fallen for a BEC scam, responding quickly is the best action. Start by contacting your financial institution to stop payments or recall funds.

The FBI also recommends that victims file a complaint with the IC3. Providing the FBI with this information they need assists law enforcement in possible recovery efforts and helps the organization track threat trends over time.


The answer to all of this?

  • Beware of phishing emails.
  • Use anti-virus protection & a firewall.
  • Use strong passwords & a password management tool.
  • Keep your software up to date.
  • Exercise caution on social media.
  • Avoid browsing questionable websites.
  • Only download content from legitimate or reputable sources.
  • Use Two-Factor or Multi-Factor Authentication.

While IT security hardening is vital for any size business, employee education and training is priceless to mitigate the potential for cyber incidents happening in the first place. Of course, nobody wants to fall victim to cybercrooks. Defend your business with Impress to avoid becoming another statistic.


Free Report:

The 7 Most Critical IT Security Protections Every Business Must Have In Place Now To Protect Themselves From Cybercrime, Data Breaches And Hacker Attacks Please call my office at 281-647-9977 or visit the link by CLICKING HERE to schedule your free IT Systems Assessment and Dark Web Scan