FightCybercrime.org

Recognize, report and recover from cybercrime.

Business Email Compromise (BEC)

Hackers use BEC to gain access to your business's financial resources. Discover how to recover from this type of attack.

Get Started Report Cybercrime
Home » Scams » Business Scams » Business Email Compromise (BEC)

The Basics of Business Email Compromise

Business email compromise (BEC) occurs when an attacker uses a spoofed email account or malicious software to gain access to an organization’s financial resources. The attacker will usually pose as a CEO, executive, vendor or customer in order to trick employees into transferring money to their own account. This type of attack can be difficult to detect, as the attacker will often have knowledge of the organization’s internal procedures.

BEC attacks can have a significant financial impact on an organization. In some cases, attackers steal millions of dollars from their victims. Additionally, BEC attacks can damage an organization’s reputation and cause customers to lose trust in the company.

Risks Associated with Business Email Compromise

BEC can have significant impacts on your business. They can cause significant financial losses and disrupt operations. Here are some common risks associated with BEC:

  • Financial Losses: This can happen if you make payments to fraudulent accounts or if you are tricked into sending money to a scammer.
  • Operational Disruption: This can happen if you are unable to access your email account or if you receive spoofed emails that look like they are from your company.
  • Reputational Damage: This can happen if your customers find out that you have been hacked or if you have been tricked into sending money to a scammer.
  • Legal Problems: This can happen if you are sued for making payments to fraudulent accounts or if you are accused of sending money to a scammer.
  • Emotional Stress: This can happen if you are worried about being hacked or if you are worried about being tricked into sending money to a scammer.

Step 1:Recognize

Red Flags of Business Email Compromise

There are some warning signs to look for that may indicate that you’ve experienced business email compromise, such as:

  • You receive an email from a sender you don’t know.
  • The email has grammatical errors or uses poor language.
  • The email asks you to send money to an account that seems strange.
  • The email asks you to click on a link that leads to a website that is not your own.
  • You receive an email that looks like it is from your company, but the address is slightly different.
  • You receive an email that asks you to change your password or login information.
  • You notice unusual activity in your email account, such as new messages that you didn’t send or messages that you didn’t receive.

Step 2:Immediate Actions

Business Email Compromise is a serious crime that can have devastating consequences for your business. If you suspect that your business is impacted by a BEC attack, there are steps you can take to help mitigate the damage and protect your business going forward.

  • Change passwords and login information on all email accounts immediately.
  • If you sent funds, contact your financial institution right away and ask them to get in contact with the institution where the funds were deposited.
  • If gift cards were sent, contact the issuer. They may be able to help you stop the transaction.
  • Scan for malware on your computers. If malware is found, visit our business malware page.
  • If you provided personal information, like your Employer Identification Number, contact the three major business credit reporting agencies — Dun & Bradstreet, Equifax and Experian —you may want to consider placing a fraud alert on your credit reports. This will make it harder for the scammer to open new accounts in your business’s name.

Step 3:Report

Reporting any type of cybercrime, including BEC, is imperative to help others avoid being scammed. As a society, the more people that report online scams and fraud, the more national reporting data that is collected, and the better chance law enforcement has to catch the criminals and decrease cybercrime.

Report to FBI

Step 4:Recover

How to Protect Your Business from Business Email Compromise

To protect your organization from BEC attacks:

  • Educate your employees about cyber threats. Search for free cybersecurity training videos on YouTube.
  • If you have the budget, consider investing in cybersecurity training for your employees to educate them about threats, and what they can do to help protect themselves and the business from cyber attacks.
  • Instruct your employees to report anything suspicious to you or their supervisor.
  • Implement security measures such as two-factor authentication and email filtering.
  • Monitor your organization’s email traffic for any suspicious activity.
  • Create a process in which any financial transaction over a certain dollar amount must be approved by at least two people.
  • Have a plan in place for what to do in the event of a BEC attack, so you can quickly contain the damage and minimize the impact on your business.

Take 5 Steps for Better Online Security

It’s important to strengthen your business’ online security to help avoid cyber attacks. Take action to improve your digital posture by following these steps:

  1. Implement Multi Factor Authentication (MFA): Passwords are generally easy for scammers to crack, and even if you use strong passphrases, there’s still the possibility that a cybercriminal can obtain your passphrase in a data breach. Implementing MFA is a great way to maximize your security and ensure that you are the only one who can gain access to your accounts. MFA should be implemented on all accounts where it is available. Check your account’s security settings to see if it is something you can set up.
  2. Update Your Privacy Settings: Privacy settings allow you to control your personal information (name, address, phone number, date of birth, financial details, photos or videos, etc) and how that information is used. Review your privacy settings on all of your accounts including your social media accounts. Consider restricting who can see your friends list, contacts, photos and posts.
  3. Activate Automatic Updates: Automatic updates are a set of changes to an app, software or operating system that are automatically pushed by the developer to fix or improve it. Oftentimes, cybercriminals take advantage of security flaws to plant malicious software on your devices. By activating automatic updates, you will automatically patch security vulnerabilities to protect your data.
  4. Create Strong Passphrases: A strong passphrase is a string of unrelated words separated by hyphen, space, period, capitalized first letter or number. Use passphrases that are longer than 15 characters and include multiple words that do not have any obvious connection between them. The key to passphrases is randomness. Don’t repeat your passphrases between accounts and consider using a password manager to help you remember.
  5. Learn the Elements of a Phishing Attempt: Familiarize yourself with the elements of a phishing email. Phishing emails tend to include a sense of urgency and multiple grammar and spelling errors. If they are asking you to reveal personal information, be suspicious. If you get a strange email, try contacting the company another way to confirm they sent that email. If the email is suspicious, mark it as spam.

TestimonialHear from Other Victims

Without Fightcybercrime.org, I don't know if I would have been able to react as quickly to protect my personal information.
Mary - Indianapolis, IN

Latest News

The latest and greatest from our blog.

> Warning Signs You’re Being Targeted by an Advance Fee Scam

Warning Signs You’re Being Targeted by an Advance Fee Scam

Is someone offering to provide you with goods, services or funds in exchange for an upfront payment? Find out if it's an advance fee scam.

Read Full Article
> 5 Risks Associated with Business Email Compromise

5 Risks Associated with Business Email Compromise

Business email compromise can have serious financial consequences for businesses. Learn the risks and find out how to protect your business.

Read Full Article
> The 411 on Strong Passphrases

The 411 on Strong Passphrases

Unique passphrases, rather than passwords, are key to keeping hackers out of your accounts. Discover how to create strong passphrases.

Read Full Article

Branding