What Is Business Email Compromise?
Whether you’re a small business or part of a major enterprise, scammers hope you won’t question authority when it comes to paying the bills.
By Laura Harris
It’s called business email compromise, or BEC. And it usually starts with an email or text message from your boss.
Hey, I am about to board my flight. Tom at Brand Co. reached out to say they haven’t received last month’s payment. Please take care of this ASAP: <LINK>
I will be out of pocket the rest of the week at the Con. See you on the other side.
It’s a hectic message from your boss before he heads off to his keynote address at the convention on the other side of the country. Every day, he posts about it on LinkedIn, hyping up his network to take part in the annual industry convention that draws thousands from all over the world.
Your boss doesn’t usually handle anything related to invoices, unless they are the expensive ones. But he and the Brand Co. exec are golf buddies. He must’ve said something.
You start with the email. You make sure that everything is paid on time. Always. You hit reply and start to explain as much to your boss.
But then, you hesitate. Your boss is about to deliver a keynote at one of the most important events of the year. Maybe you shouldn’t bother him. The last thing he needs is pushback on an invoice, right? He might not even see it for days. The delay might cause more problems.
Perhaps just taking a look at the invoice will help. It’s only a few thousand dollars. Is it just easier to pay it now? Any double payment can be credited toward the future anyway. Then, you can tell your boss it’s done. He can enjoy his conference in peace, and Brand Co. will be satisfied.
Should you second-guess the message or yourself?
A. Pay the invoice if it looks legitimate
B. Reach out to your boss to confirm
When laid out like this and given time to consider it, most people might choose ‘B.’ However, in hectic, busy times, ‘A’ can be an easy, even automatic, answer. A problem solver might choose ‘A’. Someone with initiative and eager to demonstrate that they can handle any situation might choose ‘A.’ Maybe an assistant who hasn’t heard of the kind of phishing that starts with “ph.” ” Regardless of why, that’s what the scammers want to happen.
It’s Called Business Email Compromise, And It Can Happen to You
Also known as email account compromise (EAC), business email compromise is a targeted phishing scam. You may also see it referred to as spear phishing. The bad actor has researched their target (that’s you) and gathered details to manipulate you into paying a phony invoice or clicking a malicious link.
According to the FBI’s Annual Internet Crime Report 2024, BEC resulted in fraud losses of nearly $8.5 billion from 2022 to 2024. It is one of the most profitable cybercrimes and shows no sign of decreasing.
They do their research. BEC scammers have done their homework: They know you can get the bills paid. Your job title and company name on LinkedIn are enough to make you a prime target. They examine business and personal networks, organization structures, schedules, and more. Social media is one of the best sources of such information since people tend to share information openly. They may have accessed your company network to gather information. Thorough research helps scammers identify someone who wields authority — an executive, manager, or vendor — then refine the impersonation.
They “spoof” the email address. The sender appears to be the person they’re impersonating. They expect you won’t verify a message from someone you know, especially if that person has the authority to make such a request. Deepfakes and other exploitable apps and tech have both increased the number of fraudsters and made it easier for them to run the scams. The tools are easy to access and use, even for the least-skilled baddie.
They create a sense of urgency. Whatever they’re asking you to do has a deadline. They don’t want you to do it tomorrow; they want you to do it before you have time to think about it.
Different Flavors of Business Email Compromise
Despite the name, it’s not always tied to a business transaction. Other examples of the scam include:
One of your existing vendors sends an invoice with an updated mailing address.
A manager asks you to purchase dozens of gift cards to send out as employee rewards. They ask you to send the serial numbers so she can email them out right away.
A title company sends a homebuyer instructions to wire a down payment.
What Should You Do?
The FBI advises: Check, Call, Wait
You can’t stop the scammers from making their attempts. That leaves education as your first line of defense.
Replying to the message to ask a question will only continue contact with the suspected scammer. And helps them confirm they targeted the right person. If in doubt of a similar request, reach out to the sender using known means of contact:
Call their office or mobile number directly using a confirmed number
Start a new email using a confirmed address from your address book, not the one in the email
If possible, walk to another office or department to see someone in person
Fraudsters are relying on a fast-paced, hectic world of quick replies and rubber-stamping approvals. Taking the time to investigate a request, examine an invoice, or reach out to a contact to verify information isn’t extra work or wasted time; it’s due diligence.
Learn more about how to recognize phishing scams.
Read about 7 rising scam trends.
More Stories from Our Blog
