Business Email Compromise (BEC) Scams

A scammer might

• Spoof an email account or website. Slight variations on legitimate addresses ([email protected] vs. [email protected]) fool victims into thinking fake accounts are authentic.
• Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes (CEO Fraud, Employee Account Compromise, Man-In-The-Email Scam, Bogus Invoice Scheme).
• Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages, so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information. Criminals then use the victim’s stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner appearing to be from the victim. To this end, criminals will use either the victim’s actual e-mail account they now control or create a fake e-mail account resembling the victim’s e-mail.
• Trick the victim’s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals’ domestic or foreign bank accounts. Banks in Asia—particularly in China and Hong Kong—are common destinations for these fraudulent transactions.
• Directly submit fraudulent transaction instructions to the company’s financial institution by impersonating company employees through e-mails and documentation related to the requested transfer.
• Mislead a company employee into submitting fraudulent transaction instructions to the company’s financial institution by impersonating a supplier or a company executive to authorize or order payment through seemingly legitimate internal e-mails.

What to look for

• E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
• E-mailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret,” or “Confidential” or unusual rationale for urgency such as “tax avoidance,” “jurisdictional regulations,” etc.
• Emails and phone calls to employees with requests for their account username and/or password
• An email address that has slight variations from the legitimate address (e.g., [email protected] instead of [email protected]).
• Unusual requests from a supplier to make a wire transfer (e.g., requests to bypass normal payment procedures or to only communicate by email).
• Check and double-check the owner of the email address. You can easily do this by clicking on the email address in the email header to identify the sender (e.g., the sender looks like [email protected], however when you click on the email it looks like [email protected]).

What you can do

• Is your vendor or their point-of-contact new? If new, how did they learn about your business?
• If instructions are received by email or text, call the vendor directly on a known number and confirm the change. Do not use any new phone numbers given in the email or text communication.
• Did the vendor express urgency in request or provide only a specific window of availability for contact? 

Educate yourself and your employees on this kind of scam, as no business is immune. Fraudsters consider themselves opportunists and will not hesitate to exploit a weakness when found. 

How to report

If you or your business fall victim to a BEC scam, it’s important to act quickly:

• If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds.
• Next, contact your local FBI field office to report the crime.
• Regardless of the amount lost, file a complaint with www.ic3.gov or, for BEC/EAC victims, BEC.ic3.gov, as soon as possible.