What is business email compromise? How it works and how to prevent it

Business email compromise (often simply known as BEC) is a sophisticated type of phishing attack. It involves a cyber criminal impersonating a senior member of staff and attempting to persuade an employee or third party to hand over sensitive information or transfer money.

Unlike most phishing scams, which are generic and sent in bulk, business email compromise schemes target specific people. That in itself can make scams hard to spot, but cyber criminals also go to a lot of effort make their messages look legitimate, as the potential rewards are greater.

For example, schemes often begin with the crook gathering information about the target, looking them and their organisation up on social media. The criminal might also take care to replicate distinctive characteristics of the target’s emails, such as their writing style and the font they use.

Examples of business email compromise

  1. The bogus invoice scheme: The crook, impersonating someone in the accounts department, tells the target organisation that they owe money. The message is typically delivered via email or fax, as this is the easiest way of tricking the target. However, confident crooks might phone victims, as it creates an added sense of authenticity and urgency.
  2. CEO fraud: The crook spoofs or hacks the CEO’s email account and sends an urgent request to an employee. They might ask for sensitive information or request a wire transfer.
  3. Personal email scheme: The crook compromises an employee’s personal email account (provided they also use it for business purposes) and sends invoices to vendors on the employee’s contact list.
  4. Attorney impersonation: The crook, posing as a lawyer or representative of a law firm, contacts an employee and claims to be handling a time-sensitive issue concerning the employee’s organisation. The crook then attempts to persuade the employee to provide sensitive information that’s crucial for the case they’re supposedly working on. The sense of urgency is key to this scam, as the crook doesn’t want the employee to follow-up with a senior employee.
  5. Data theft: This is the simplest form of business email compromise. The crook hacks an employee’s email and sends an urgent request to HR for another employee’s personal or financial details.

Preventing business email compromise

Although business email compromise is more sophisticated than regular phishing scams, the same lessons apply when trying to avoid falling victim. You must be capable of spotting the tell-tale signs that something isn’t quite right. This usually means giving yourself a few moments to look over your correspondences.

Once you give yourself a little bit of time, phishing scams are often quite easy to spot. We provide plenty of free advice on the things you should look out for, but we also encourage you to delve a little deeper and give you and your employees a thorough understanding of the threat facing them.

Our Phishing Staff Awareness E-learning Course helps employees take action against scammers, showing them how to spot phishing scams, how to respond to them and what happens when you fall victim.

This interactive course provides systematic, consistent and repeatable training for everyone in your organisation. It’s non-technical, meaning it’s suitable for even those with little cyber security knowledge.