Business Email Compromise: How Scammers Are Exploiting Companies 

Business Email Compromise (also referred to as BEC) is a sneaky online scam in which bad guys pretend to be someone important, like your boss or a trusted company. They send legit emails and trick people into sending money or sharing private information. 

The email you receive might look like it’s from your school’s principal, asking you to pay for something important right away. But in reality, it’s from a scammer pretending to be the principal to steal your money. 

To avoid falling for BEC scams, you need to be extra careful, verify things, and be aware of how to spot fake emails.

Why Email Is the Weakest Link in Business Security

Email remains the most used communication tool in workplaces, especially since the shift to remote and hybrid work models following the COVID-19 pandemic. While this has made business operations more flexible, it has also exposed a significant security gap.

With fewer in-person conversations and distributed teams, email is where most approvals, payments, and sensitive discussions happen. This heavy reliance on email systems makes them a prime target for cyberattacks.

In fact, the FBI reported over 300,000 incidents of Business Email Compromise (BEC) between 2013 and 2023, costing companies more than $55 billion. Overlooking email security leaves your organization vulnerable to costly internet fraud.

Anatomy of a BEC Attack

Unlike traditional cyberattacks that target software or systems, BEC scams are built around deception. Here’s a breakdown of the most common strategies they use to trick employees and gain access to company funds or sensitive information:

Email Spoofing

This involves creating an email address that closely resembles a legitimate one. For instance, instead of [email protected], a scammer may use [email protected]. The objective is to deceive recipients into thinking the email is from a trusted source.

This method involves registering domain names that closely resemble the actual ones. When employees receive emails from these domains, they may not notice the slight differences, especially when they are busy or distracted.

Account Takeover

Account takeover occurs when a scammer gains unauthorized access to an employee’s email account, typically through phishing or credential theft linked to the BEC. Once inside, they monitor communications and send fraudulent emails from the compromised account to deceive others.

Social Engineering

Social engineering involves exploiting human emotions such as trust, fear, or urgency to manipulate individuals into disclosing sensitive information or taking actions that benefit the attacker.

Scammers research their targets using publicly available information (e.g., LinkedIn profiles and company websites). and craft personalized emails based on the recipient’s role and responsibilities.

Industries Most Targeted by Business Email Compromise (BEC)

Fraudsters don’t target just anyone with email scams. They focus on specific industries that are more vulnerable to these tactics.

Finance & Banking Institutions

Finance institutions manage significant financial transactions daily, making them prime targets for fraud. Scammers often seek to intercept wire transfers, steal customer data, or gain access to systems containing sensitive financial information.

Common strategies include fraudulent wire transfer requests, spoofed emails from “clients” requesting payment redirection, and phishing attempts to steal banking portal login credentials.

Healthcare Service Providers

Healthcare organizations handle highly sensitive personal information, including Social Security numbers, medical records, and insurance details. This data can be exploited for identity theft, insurance fraud, or sold on the dark web.

Manufacturing & Logistics

Such firms often deal with complex supply chains involving multiple vendors, suppliers, and contractors. Scammers exploit this complexity by inserting themselves into the communication flow, posing as legitimate vendors or suppliers.

They may send fake invoices to accounts payable departments, submit fraudulent requests to change vendor payment details or intercept communications between manufacturers and suppliers.

Small to Medium Enterprises (SMEs)

Small and medium-sized enterprises (SMEs) often have fewer resources dedicated to cybersecurity compared to larger corporations, resulting in weaker defenses and making them easier targets for scammers.

Suspicious Email Characteristics

Scammers often mimic genuine correspondence but contain hints of fraudulence. Below are some key examples:

Unusual Domains

Scammers use email addresses that closely resemble legitimate ones but contain subtle differences. Employees should carefully verify sender email addresses before responding, especially when dealing with sensitive information or financial transactions.

Urgent Language Pressuring

Phrases such as “URGENT,” “ASAP,” “Confidential,” or “Do Not Delay” are commonly used by scammers to bypass critical thinking and create a sense of urgency. In practice, business communications rarely require immediate action without time for verification. 

If a request feels rushed, pausing and verifying its authenticity is important.

Lack of Personalization

Unlike personalized messages from trusted contacts, scam emails often start with vague greetings like “Dear Sir/Madam” or omit the recipient’s name. 

While a generic greeting alone isn’t always a clear indicator of a scam, it should prompt closer scrutiny when combined with other red flags.

Links Requesting Login Credentials

Emails with unexpected attachments or links requesting users to log in and verify information are common phishing tactics aimed at stealing credentials. Clicking on these links can compromise entire systems. 

It is important to preview URLs by hovering over them or avoiding interacting with suspicious links altogether. This is where Socialcatfish’s reverse lookup tool also comes in handy.

Verified BEC Scams That Cost Companies Millions

Ubiquity

A well-known company in the computer networking industry lost $46.7 million due to an email scam. 

The incident involved someone posing as an employee, sending fraudulent requests targeting the finance department to approve money transfers to overseas accounts owned by third parties.

Pure Glass WA

Pure Glass WA, an Australian company, became a victim of a BEC scam when fraudsters impersonated a regular supplier. 

The scammers sent an email requesting payment to a new bank account, which employees complied with without verification and proceeded with two $25 Million transactions.

Final Word

In BEC scams, attackers go the extra mile by setting up fake email addresses and writing emails that seem real. They pose as CEOs, vendors, or trusted partners, making it difficult to spot what’s fake and what’s real.

But small details, such as a misspelled domain or an unusual request can reveal the scam.

If you’ve lost money because of a BEC scam and want to find out who was really behind the email, our Search Specialist Service can help.

Here is what our user, YaronPertman, experienced: 

“Quick, helpful, and on-point support from Erin. Erin was prompt and professional and resolved my issue quickly and smoothly.”