Skip to main content

What is Business Email Compromise?

Business Email Compromise (BEC) refers to a type of phishing attack that is aimed at a specific business and involving the impersonation of its employees.  BEC-type emails are precisely targeted unlike most other forms of phishing emails that are sent out to hundreds or thousands of people.  The purpose of BEC emails is simply to steal money or information from businesses by impersonating people. 

BEC-type email are addressed and, typically, request that bank details are altered to an account under their control by way of impersonation. This is more commonly referred to as mandate or invoice fraud.  Here are two examples of common BEC-attacks:

  • Scammers ‘spoof’ an executive’s name to make it seem that an emailed task is very important. The scammer claims that the task needs to be carried out without delay and in circumstances where the executive cannot make a phone call.  The task is often to trick the recipient into making a money transfer or to buy gift cards. 
  • Clients and customers are often impersonated by making use of real emails that have been stolen at some time in the past when an account was hacked. Whilst pretending to be a customer, the scammer can forward on an old email whilst adding their money transfer or gift card request.  The recipient sees the old but genuine email history and thinks the same person is emailing again.

BEC-type attacks often involve the attacker making use of a compromised email account, as emails sent from the account would look genuine. Alternatively, the scammer can simply create similar-looking email addresses, such that the recipient doesn’t notice the difference. 

BEC emails often don't have malicious links, attachments, and other characteristics of scam emails, meaning they can easily evade traditional security solutions, such as spam filters. It is crucial that businesses educate their staff about BEC attacks, as the burden of identifying and reporting attacks is often wholly dependent on the awareness and knowledge of staff.

Warning signs

  • You receive an unexpected email from a senior executive or manager asking for a task or errand to be carried out…
  • …but this email is vague…
  • …and they say they cannot talk over the telephone.
  • You receive an email from a client or customer that is unexpected and which makes an unusual request
  • The email address of the Sender is different to the expected email address
  • The person wants you to buy gift cards, pay an invoice and make changes to financial information
  • The senior staff member or client contacted you by using your personal email address
  • The Sender asks for a conversation to be moved from email to instant-messaging (e.g. WhatsApp)
  • The language used in the email is not typical of how the person normally writes emails

What should you do?

The following covers some basic steps that anyone can do when a BEC email has been received:

  • Ignore the Sender’s request, if the email seems suspicious.
  • Ask a colleague to look at the email to see what they think
  • Report the email to your I.T. team or I.T. provider
  • Report it to us using our Suspicious Email Reporting Service.
  • If a payment has been made, contact the bank or financial provider without delay…
  • …and keep any emails with the scammer, as they might be needed by investigators and the Police.

How have they got my or my employers details?

Information used in a BEC attack is often in the public sphere; for example, some companies choose to list members of the team on their website, which criminals can use to impersonate a staff member. Another source could be companies registry or companies house, which have director names for some documents.

One tool of particular concern used by criminals is LinkedIn, which allows criminals to see a list of employees for a company, their roles, and even their job history. Allowing the messages to be more targeted and therefore more believable. It's therefore important to consider the information you or your employees are sharing on LinkedIn and be conscious of its possible malicious use.

Recommendations

  • Ignore any requests or queries concerning gift cards. No legitimate requester will ask you to purchase gift cards.
  • If an email seems strange, always carefully check any email addresses to identify if it exactly matches your known and trusted records.
  • Follow procedures with respect to making payments, for example, ensure that the dual-control procedures are followed for authorising payments.
  • Be wary about any emailed requests to alter bank details. Validate all requests for bank account changes using established contact details and by speaking with the person.
  • Ensure that a senior member of your finance team reviews actions and formally authorises the change of bank account details.
  • Regularly reconcile your bank statement and report anything suspicious to your bank immediately.
  • Business managers should regularly review and update security policies ensuring that all staff are fully briefed and trained to spot potential fraud.

This page was last updated 29/04/2024.