Whether you like it or not, you may be a potential victim of spoofing or phishing with the intention to wire financial reserves outside of the firm. US companies have lost over 1.86 billion via BEC fraudulent online activity, which ranks as the costliest loss firms faced in 2020. BEC is an emerging worldwide cyber issue targeting all organizations regardless of location, size or sector, which damaged over 19,369 sufferers last year in the US alone. What are BEC scams, and how can individual email users detect them?

What is BEC

A Business Email Compromise, also called BEC, is an email phishing scam addressing employees who handle financial activities, governments or NGOs. Aggressors typically pretend to be colleagues and send emails that ask for money transfers, sharing sensitive information or paying invoices. 


The FBI lists 5 common types of BEC scams:

CEO Fraud - Predators commonly act as the firm's CEO, requesting workers from the financial department to transfer money to a bank account owned by the attacker.

Account Comprise - Cyber thieves, send emails to employees in the name of a company executive or colleague and request money wired to vendors. Received money is kept by the unauthorized hacker. 

Invoice Scheme - Employees receive emails requesting fund transfers from the firm's supplier, most commonly a foreign one. This is achieved by hacking the supplier's email address and receiving money to a fraudulent bank account. 

Data Theft - Online criminals typically target an HR employee asking for personal information about higher positioned executives. The data is subsequently used to reach money transfer via CEO fraud or other type.

Attorney Impersonation - Impersonating an important individual from a partnering law firm is another way attackers enjoy receiving money. For example, a fake CEO gives his employee a heads up about a future financial request to a lawyer. Later, the victim receives an email asking for it, fooling the worker twice.


How to detect BEC scams

Distinguishing scam emails from real ones can be surprisingly tricky. We don't ordinarily stop and scrutinize every email we receive from our boss. Nor do we call him or reach him personally after he sends us a text requesting a document. Cybercriminals usually closely study the victim's and his colleague's patterns and plans, writing style and personal information. Fortunately, there are some dubious characteristics that may help uncover a fraudulent message. Look out for:

  • A questionable language tone that may seem demanding or secretive, using words such as "urgent", "fast", "secret", "sensitive" etc. 
  • A slightly different domain from the actual company domain
  • Text that includes errors or sounds non-native


Aside from keeping an eye on suspicious emails, also take necessary steps to eliminate the possibility of falling victim:

  • Double-check and verify via non-email channels with involved parties regarding transferring financial means based on an email request.
  • Don't automatically click reply, but forward the email and type in the sender's email to avoid answering the hacker.
  • Install appropriate malware detection solutions
  • Educate your colleagues and employees about this severe issue


Remember that security comes first, and asking your superiors to verify their requests is more manageable than reimbursing BEC scam disasters.