Be aware of how these scams work
Among the wide range of cyber threats, few cause as much financial damage as business email compromise (BEC) scams. These scams come in many flavors. All of them, however, rely on social engineering. Attackers hope to trick recipients into sending money (potentially millions of dollars) or sharing sensitive information.
As BEC largely relies on trickery, these scams can be difficult to detect and block with technical safeguards alone. Attackers are now using translation tools powered by machine learning and generative AI chatbots to craft convincing and grammatically correct lures. And the emails themselves may not contain any malicious attachments or URLs.
In BEC attacks, criminals often create lookalike email addresses or spoofed domains. These can appear to be from legitimate partner organizations or coworkers. And attackers can sometimes compromise genuine email accounts, making scam emails appear fully credible.
Being aware of the main types of BEC attacks can help prevent even the most convincing scam. While there are many varieties, the following are five of the most common:
Scam #1: Executive Fraud
Executive fraud impersonates email accounts belonging to high-level individuals in a targeted organization. This helps to create a sense of authority and urgency. The emails typically direct a member of the finance department to make an urgent transfer to a specified account — one that is, of course, controlled by the attacker.
Attackers typically send these requests at the end of the workday, especially before a weekend. They may also direct recipients to transfer funds to cryptocurrency platforms, which is a clear warning sign.
Scam #2: False Invoices
In this scam, attackers imitate an organization with which you may or may not already have a business relationship, then provide an invoice for completed work or supplied products. The payment details, however, lead to fraudulent accounts under the attacker’s control. In some cases, attackers may also request payment through cryptocurrency or gift cards.
Attackers may follow up with calls from spoofed numbers imitating the impersonated organization. These calls are meant to increase the scam’s apparent legitimacy — and the likelihood of payment.
Scam #3: Attorney Impersonation
In professional settings, these scams impersonate attorneys or legal representatives working for the organization. They usually target lower-level employees who may be unfamiliar with official processes. A rising subtype involves impersonating attorneys or others involved in real estate transactions, providing fraudulent wire payment instructions for alleged charges associated with those transactions.
Scam #4: Data Theft
While BEC most commonly involves financial theft, some attacks focus on data theft. These scams typically target HR employees, with attackers hoping to obtain tax forms or other sensitive information that can be used for future impersonation, such as executive fraud.
Scam #5: Account Compromise
The previous BEC scams involved impersonation and spoofed or lookalike email addresses. Account compromise, however, involves attackers taking full control of a valid email account. Targeted accounts could include those belonging to executives or third-party suppliers. Attackers can use compromised accounts for various activities, but typically focus on sending fraudulent payment requests or instructions.
BEC Mitigations
BEC scams can be difficult to spot and inflict incredibly costly damage. You can help prevent them by keeping the following in mind:
- Be suspicious of urgent requests for payment, especially those directing funds to a new account
- Be highly suspicious of any payment requests involving cryptocurrency
- Always follow your organization’s payment procedures
- If you receive a suspicious request, confirm it via a secondary means of communication — such as in person or via a trusted phone number