Business Email Compromise

AARP

Comments

En español

Published June 17, 2019

/ Updated June 01, 2023

Business email compromise, or BEC, is a fast-growing type of phishing scam in which fraudsters impersonate company owners or executives to deceive employees of the firm into transferring money or turning over confidential data. Also known as “CEO fraud,” “W-2 phishing,” “email account compromise” and “business email spoofing,” the con comes in two basic varieties:

An employee with access to company accounts receives an urgent email request, ostensibly from a top executive, to wire a large sum of money for what sounds like a legitimate purpose, such as an acquisition or vendor payment. The message includes routing data for a bank account that’s actually controlled by the fraudsters, often at a foreign bank. In a variation on this scam, the email supposedly comes from a vendor looking to change its payment account.
The bogus executive emails someone in the payroll or human resources office seeking a list of employees and copies of their W-2 forms. That potentially puts a wealth of workers’ personal and financial information — Social Security numbers, home addresses, wages and tax withholding — into scammers’ hands, setting the stage for large-scale tax ID fraud and other forms of identity theft.

Law enforcement has linked BEC to international organized crime groups, often based in Nigeria. The scam relies on sophisticated techniques in spoofing (making fake emails and business documents look convincing) and spear phishing (researching a mark to launch highly targeted attacks). Scammers might also use malware to infiltrate a company’s computer network and access email exchanges about financial matters.

This form of fraud can pay off: Victims of BEC scams reported nearly $1.87 billion in losses to the FBI's Internet Crime Complaint Center (IC3) in 2020 — about 45 percent of all cybercrime losses logged by the bureau that year and a 44 percent increase from just two years earlier.

The FBI says criminals are increasingly using identities harvested in other scams to create bank accounts to receive stolen BEC funds and convert them to cryptocurrency. They are also using the COVID-19 pandemic to perpetrate new spins on the scam — impersonating lenders supposedly following up on Paycheck Protection Program loans, for example, or infiltrating audio and video meeting platforms to deceive remote workers.

Any company, large or small, can be a target. More than 3 in 4 organizations received a suspected BEC email in 2021 and nearly half were targeted more than 10 times, according to a survey by cybersecurity company Proofpoint of working adults in the U.S. and six other countries.

And these schemes don’t just abuse businesses: According to the FBI, many BEC gangs also perpetrate romance and work-at-home scams to recruit unwitting “money mules,” manipulating victims who believe they've found love or a great job opportunity into opening bank accounts to hide or launder fraud proceeds.

Warning Signs

You receive an email from a higher-up ordering you to quickly process an invoice, change the recipient of a payment or provide sensitive documents.
The message is brief, urgent and presses you to bypass normal policies and procedures.
The sender says he or she is traveling, and the signature indicates the email came from a mobile device.
The email comes from a Gmail, Hotmail or other personal account rather than an organizational account.
Someone you’ve become close to online asks you to open a bank account for the purpose of receiving or sending them money.

How to protect yourself from this scam

Do check with an executive by phone or in person to verify a request to send money or provide personnel records.
Do verbally confirm emailed instructions from a vendor or supplier to change payment methods or bank information. Call them on a known contact number.
Do carefully check the sender’s email address. Scammers may slightly vary a genuine address, adding a letter or changing punctuation, to make it seem legit on first glance.
Do train staff on the BEC threat and how to spot spoofed and spear-phishing emails.
Do immediately contact your financial institution if you discover a fraudulent transfer. It may be able to recall the funds.
Do verify a request from someone involved in a property transaction to change a payment type (for example, from check to wire transfer) or bank data. Do so in person or by phone, not by email.
Do save all emails and other evidence of a BEC attack to provide to authorities.

Don’t act on a request to send money or sensitive employee information without confirming that it’s authentic.
Don’t reply to a suspicious email. Speak directly to the person the sender claims to be, or forward it to a known email address for that person.
Don’t call a phone number listed in the suspicious email. Contact the actual person on a number you know to be legitimate.
Don’t click on links or open attachments in a suspicious business email. It could unleash malware.
Don’t open a new bank account at the behest of someone you’ve forged a relationship with online or as part of a supposed work-at-home opportunity.

More Resources

If you’ve been targeted or victimized by a BEC scam, report it to the FBI’s Internet Crime Complaint Center (IC3).
Forward W-2 phishing emails to the Internal Revenue Service at phishing@irs.gov.
If a BEC attack results in a data loss, follow the IRS’s instructions for reporting the theft and protecting employees. Contact the Federation of Tax Administrators at StateAlert@taxadmin.org for information on reporting the loss to state authorities.
IC3 recommends office policies and IT strategies to reduce the BEC threat, as does the Financial Services Information and Analysis Center, a finance industry group that monitors cybersecurity and other threats.