Business email compromise (BEC) scams are a type of fraud in which attackers gain access to an email account belonging to an individual who has control over financials and use it to scam the company or its clients out of money.

In a typical BEC scam, the attacker first gains access to an email account by using phishing or social engineering tactics, such as tricking the victim into entering their email credentials on a fake login page or sending an email with a malicious attachment that installs malware on their computer.

Once the attacker has access to the victim's email account, they can use it to send emails to employees, suppliers, or customers posing as the victim. These emails often request urgent wire transfers to a fraudulent account controlled by the attacker.

BEC scams can be very sophisticated, involving careful research of the victim's business and the use of convincing language and professional-looking emails to make the request seem legitimate. The losses from these scams can be substantial, with businesses and individuals losing millions of dollars each year.

BEC Scam Example 1

Imagine that you are the CFO of a large manufacturing company, and one day you receive an email from your CEO who is currently traveling overseas. The email appears to come from your CEO's usual email address, and the tone and language used in the email seem authentic.

In the email, the CEO informs you that there is an urgent need to transfer a large sum of money to a supplier located in a foreign country. The email contains all the relevant details of the transfer, including the beneficiary's name, bank name, and account number. The email also requests that the transfer be processed immediately to avoid any delays.

You follow the instructions in the email and initiate the wire transfer to the foreign bank account. A few days later, you soon realize that the email is not from your CEO, and the bank account you transferred the money to is not the supplier's account but a fraudulent one.

In this scenario, the attacker had gained access to your CEO's email account and used it to send a fraudulent email to you, posing as your CEO and requesting the transfer of funds to a fraudulent account. The attacker had used social engineering tactics and impersonation to make the email seem authentic, and the urgency in the email had made you act quickly without verifying the request. The attacker had then collected the payment through the fraudulent bank account, leaving your company in a vulnerable financial situation.

BEC Scam Example 2

Let's say that you are the CEO of a small business that sells electronic goods. One day, you receive an email from someone who appears to be your long-time supplier, asking you to wire payment for a large order that was just placed. The email seems to be from the same email address you have been communicating with for years, and the tone and language of the email seem authentic.

The email contains all the details of the order information and the supplier's bank account for the wire transfer which is different than the one you used to send money to. The supplier explains that they recently changed their bank, and the money is to be sent to a new bank account instead of the one that was used before. The email also includes a sense of urgency, stating that the supplier needs the payment to be made by the end of the day to avoid any delays in the shipment.

You quickly wire the payment to the account provided in the email, thinking that you are helping out your trusted supplier. However, a few days later, you received another email from your real supplier asking about the payment for the order. You realize then that you have fallen victim to a BEC scam.

In this scenario, the attacker had gained access to your supplier's email account and used it to send a fraudulent email to you, posing as your supplier and requesting payment for an order that was placed just before the scam occurred. The attacker then collected the payment through a fraudulent bank account and disappeared with the money.

How do BEC Scammers gain access to someone's email account?

BEC scammers use various methods to gain access to someone's email account. Here are some common techniques:

• Phishing: Scammers may send phishing emails that look like legitimate emails from a trusted source, such as a bank or email provider. These emails usually contain a link to a fake login page that is designed to steal the victim's login credentials.
• Social engineering: Scammers may use social engineering tactics to trick the victim into revealing their login credentials. This could involve posing as a trusted authority figure, such as a boss or IT administrator, and requesting the victim's login information.
• Malware: Scammers may use malware, such as keyloggers or spyware, to capture the victim's login credentials or gain access to their email account without their knowledge. Also, there are malware programs that can be used to forward email messages to fraudulent scammers. These types of malware are often referred to as email forwarding or email stealing malware.
• Password: Scammers may take advantage of the fact that many people reuse the same password across multiple accounts. They may obtain a victim's password from a data breach or by guessing it, and then use it to gain access to the victim's email account.

Once the scammers have gained access to a victim's email account, they can use it to send fraudulent emails, request wire transfers, or access other sensitive information. To prevent BEC scams, it's important to use strong password, enable two-factor authentication, and be cautious of suspicious emails or requests.

Beware of an Email Forwarding Malware

With many alerted users utilizing 2FA and other security measures, stealing login credentials alone does not always allow scammers to gain access to the victim's email account. An alternative method commonly used to eavesdrop on someone's email is by installing email forwarding malware in the victim's computer.

Email forwarding malware is typically installed through phishing or other means of social engineering. Once installed, the malware can monitor the victim's email account for incoming and outgoing messages and forward them to the attacker's email address without the victim's knowledge.

Email stealing malware works in a similar way, but instead of forwarding the victim's email messages to the attacker, it copies and stores them on the victim's computer or a remote server controlled by the attacker.

These types of malware are often used in conjunction with BEC scams to steal sensitive information such as login credentials, financial information, or other sensitive data. To prevent these types of attacks, it's important to use anti-malware software, keep your software up-to-date, avoid clicking on links, and download attachments from suspicious or unknown sources. You may use our unshorten URL tool to verify a suspicious link before clicking on it.

How do you prevent BEC Scams?

Here are some measures that can be taken to prevent BEC scams:

• Employee education and awareness: One of the best ways to prevent BEC scams is to educate employees about the risks associated with these types of security attacks. Employees should be made aware of the tactics used by attackers, including phishing, spear-phishing, and social engineering. They should also be trained on how to identify fraudulent emails and instructed to verify any suspicious requests with the purported sender through a different communication channel.
• Two-factor authentication: Two-factor authentication (2FA) is an effective way to prevent unauthorized access to email accounts. 2FA requires users to provide a second form of authentication, such as a code sent to a mobile device, biometric authentication, or pin code from an authenticator app in addition to a widely used password authentication. This makes it more difficult for attackers to gain access to email accounts even if they have obtained the password through other means.
• Email filters and anti-malware software: Email filters can be used to block suspicious emails before they reach employees' inboxes. These filters can be configured to block emails from known fraudulent domains or emails containing suspicious content, such as requests for wire transfers or changes to payment instructions. Anti-malware software can also be used to scan emails and attachments for malware or other malicious content.
• Verification of payment requests: Employees should be instructed to verify any payment requests through a different communication channel before processing them. For example, if a request for a wire transfer is received via email, the employee should verify the request with the purported sender through a phone call to ensure that the request is legitimate.
• Vendor management: Companies should establish and maintain a vendor management program to ensure that vendors and suppliers are legitimate and that payment requests are properly authenticated. This program should include regular vendor audits, verification of payment instructions, and ongoing monitoring of vendor activities.

By implementing these security measures, companies can significantly reduce the risk of falling victim to BEC scams. However, it's important to note that no prevention measure is 100% foolproof, and a layered approach to security is always recommended.