According to the Federal Bureau of Investigation (FBI), Business Email Compromise (BEC) scams have cost businesses over $26 billion in the past few years. These scams are highly sophisticated and target employees at all levels, aiming to syphon money or sensitive information from companies. The impact of these scams is not limited to direct financial losses; they can also damage a company’s reputation, disrupt operations, and erode the trust between employees and management.
Understanding how to identify, prevent, and respond to these scams is essential for anyone who works in a business environment.
This article will take you through the methods scammers use, the psychology behind these scams, and, most importantly, how to spot a BEC scam before it compromises your business or personal information.
The BEC scam
A Business Email Compromise scam is a type of cyberattack in which a scammer gains access to or impersonates a trusted email account. The goal is to deceive someone in an organisation into performing actions such as transferring funds or disclosing sensitive information.
Unlike typical phishing emails, which may target anyone, BEC scams are highly targeted and often involve significant amounts of money. These attacks are not random but are instead the result of careful planning and research, where attackers gather detailed information about the company and its personnel.
BEC scams can take various forms, such as CEO fraud, account compromise, false invoice schemes, attorney impersonation, and data theft. These scams rely heavily on psychological manipulation. Unlike many other cybercrimes, BEC scams do not usually rely on malware or other technical exploits.
Instead, they use social engineering techniques to trick individuals into performing actions they believe are legitimate. They mimic trusted relationships, use a sense of urgency to force immediate action, and exploit hierarchical authority, making recipients less likely to question requests from superiors.
The impersonation techniques used in BEC scams are often extremely convincing. Attackers may spoof email addresses, create fake websites, and even use language that mirrors the company culture. They use public sources like social media and company websites to understand the roles and responsibilities of key personnel, allowing them to craft highly tailored attacks that seem plausible. The careful attention to detail is what makes these scams effective and so difficult to spot.
One of the primary tactics used in BEC scams is creating a false sense of urgency. This approach exploits a natural human reaction: the tendency to comply quickly when under pressure. A BEC scam email often appears to come from someone in a position of authority, such as a CEO or a director, and demands immediate action, such as transferring funds or sharing sensitive information.
Ronnie Tokazowski, a well-known security researcher, notes that scammers rely on creating a deregulated emotional state, which makes it difficult for the victim to think critically. When a person feels pressured or stressed, they are more likely to bypass their usual cautious behaviour, which is exactly what scammers count on.
Beware of isolation tactics
Scammers also employ social engineering techniques that isolate you from colleagues. They may include phrases such as, “Keep this between us” or “This is confidential.” These phrases are designed to prevent you from seeking a second opinion. If an email urges you to keep something secret, that’s a red flag. The isolation tactic is used to make the victim feel that they are handling a sensitive matter and that involving others could be detrimental or embarrassing.
Isolation is a powerful tool because it reduces the chances of the victim cross-checking information, which could expose the scam. In a busy work environment, employees might not want to bother their superior or colleague with questions, especially if the email makes it seem like they should know what to do. By making the recipient feel like they are part of an exclusive communication, scammers manipulate them into complying without verification.
Even if an email seems urgent, you should always verify its authenticity using a separate communication channel. This might mean calling the person who supposedly sent the email or sending them a message on a verified internal communication tool like Slack or Microsoft Teams. Do not rely on the contact information provided in the email itself, as scammers often include phone numbers that they control. Verification might feel like a hassle in a fast-paced work environment, but it is a critical step that can prevent costly mistakes.
Always use contact information that you know to be genuine. If an email claims to be from your company’s CEO asking for a wire transfer, take a moment to call the CEO’s assistant or use a known phone number to confirm. The extra step of making a phone call or sending a message can mean the difference between falling for a scam and preventing one. Be especially suspicious if the email contains warnings not to verify the request with others or to keep it confidential.
Another effective way to spot a BEC scam is to carefully check the email address from which the request was sent. Scammers often use email addresses that look almost identical to legitimate ones. Look for subtle changes like a single letter or number. Also, check the domain to ensure it is correct and try clicking “Reply” to see if the email address in the “To” field changes to something different. These small details can often reveal a scam attempt.
Additionally, attackers sometimes register domains that are visually similar to legitimate ones. For example, they may replace an “m” with “rn” or use a domain ending like “.co” instead of “.com”. These slight modifications are designed to go unnoticed by busy employees who may be skimming through their emails. Carefully inspecting the domain can prevent these look-alike domains from fooling you.
Follow proper verification protocols
One of the most effective ways to protect yourself and your organisation from BEC scams is to follow established protocols for authorising payments and sharing sensitive information. Organisations should have standard procedures for making payments, and sensitive transactions should require multiple levels of approval. If you receive an email asking you to bypass these procedures, it should raise suspicion.
Proper protocols are designed to prevent exactly this type of fraudulent activity. Even when requests come from high-ranking officials, employees should follow verification procedures without exception. Hierarchical authority is often exploited in BEC scams, with attackers pretending to be someone with enough power to push people into bypassing standard safety measures. To combat this, companies need to establish clear guidelines that payments or sensitive actions cannot be authorised based on a single email.
In addition to manual verification, there are several technical measures you can use to check the legitimacy of an email. Inspecting email headers can provide clues as to whether an email is genuine. Headers contain metadata about the email, such as the servers it passed through. If an email that claims to be internal has headers showing that it originated from an external server, this is a major red flag.
Many organisations employ anti-phishing software that can identify and block BEC attempts. Employees should be aware of the tools available to them and should not hesitate to use them when in doubt. Companies can also use DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) to verify that emails sent from their domains are legitimate. These tools authenticate the source of emails and can help prevent spoofed emails from reaching employees’ inboxes.
Open communication culture
Regular training can help employees recognise potential scams before they cause harm. One of the best ways to train employees is through simulated phishing attacks. By simulating what a BEC scam might look like, employees can learn in a safe environment what red flags to look for. These exercises help employees understand the evolving tactics used by attackers and make them more cautious when handling suspicious emails.
Cyber threats evolve, and so should your employees’ knowledge. Interactive workshops, newsletters with examples of recent scams, and mandatory e-learning modules are all effective ways to keep security awareness fresh in employees’ minds. The goal is to cultivate an instinctive scepticism towards unsolicited requests.
A culture of open communication can also significantly reduce the chances of a successful BEC scam. Employees should feel comfortable reaching out if they suspect something is wrong.
Ronnie Tokazowski suggests that skip-level meetings—where a senior leader meets with a junior employee without their direct manager—can help strengthen communication between employees and management. Companies should also ensure there are no repercussions for reporting suspicions, even if they turn out to be false alarms.
In an open communication culture, employees are more likely to verify unusual requests, even if they come from higher-ups. When employees fear repercussions or judgement, they are more inclined to comply without question. Encouraging employees to seek clarification and rewarding vigilance helps in creating an environment where questioning is valued as a security measure rather than frowned upon.
Security measures
Executives and other leaders need to be aware that their behaviour can either mitigate or exacerbate the risk of BEC scams. Leaders should avoid making unusual requests, especially via email, which makes it easier for scammers to impersonate them convincingly. Whenever possible, executives should stick to official channels and established procedures.
Implementing Multi-Factor Authentication (MFA) for email accounts can prevent scammers from gaining access even if they manage to obtain someone’s password. MFA adds an extra layer of security by requiring a second form of verification, such as a code sent to a phone. This additional layer makes it significantly harder for attackers to compromise accounts and impersonate executives.
Leaders should also be transparent about any scams that affect the company. This can reduce the stigma of falling for scams and encourage employees to be vigilant in the future. Setting up a payment verification process, such as requiring two sign-offs for all payments above a certain threshold, can prevent unauthorised transactions. Watching for red flags in email content, such as grammar and spelling errors, unusual formatting, or generic language, can also help in identifying scams.
It is also essential for leaders to model good security behaviours. If employees see that their leaders are vigilant—always verifying requests, following protocols, and using secure communication channels—they will be more likely to emulate these behaviours. Leadership plays a pivotal role in establishing a strong culture of cybersecurity, and their actions can set the tone for the entire organisation.