Learn About Business Email Compromise


Using the age-old art of deception, criminals use a variety of methods to compromise business email accounts, such as:

  • Phishing —using deceptive emails and websites to harvest credentials, personally identifiable information, banking and credit card details
  • Social engineering — using deceptive methods that rely on human interaction and often involve tricking people into breaking normal security procedures to divulge confidential or personal information useful to perpetrate fraud
  • E-mail spoofing — sending deceptive email that appears to have originated from a trusted source.
  • Malware — malicious software that is unknowingly installed on a business’s computer system that among other things can steal sensitive information, alter or hijack a computer system, or plant ransomware.

Experts don’t know how criminals select victims, however, perpetrators often monitor and study victims before initiating a BEC scam, learning the players and protocols necessary to perform wire transfer requests within the business environment. Some victims report receiving emails requesting additional details regarding the business or individual they’re targeting, such as name, travel dates, and more.  Others report that they experience a cyber intrusion immediately before a BEC incident.

W-2 BEC Fraud

A growing offshoot of this fraud is W-2 BEC fraud, in which a criminal tries to gain access to personal information (PI) about employees. Frequently, the criminal will gain access to a business executive’s email account, or create a spoofed, look-a-like email address, then send an email impersonating that executive requesting information from a key employee in human resources or payroll such as:

  • Social Security Numbers
  • Home addresses
  • Salaries

After receiving the information, the criminal files fake tax returns for refunds or sells the PI to other criminals. In 2017, more than 200 employers fell victim to this scam, and hundreds of thousands of employees’ PI was stolen.

Identifying BEC Scams

Experts at the FBI’s Internet Crime Complaint Center IC3 report these common characteristics of BEC complaints:

  • Criminals often target Chief Financial Officers — they are targets of 19 percent of BEC fraud incidents. Finance directors (7 percent), finance managers (6 percent), finance controllers (6 percent), and accountants (4 percent) make up the next most common targets.
  • Business and personnel targets often use open source email accounts, such as browser-based free email services.
  • Targets often include individuals who handle wire transfers within a business.
  • Spoofed emails very closely mimic a legitimate email request. CEOs are most often impersonated (42 percent), managing directors/directors (28 percent), and presidents (7 percent) make up the most commonly spoofed executives.
  • Criminals often target personal email accounts.
  • Fraudulent email requests for wire transfers are well-worded, specific to the business, and don’t raise suspicions about legitimacy.
  • Some victims report the commonly used phrases “code to admin expenses” or “urgent wire transfer” in some fraudulent email requests.
  • Wire transfer fund amounts are business-specific and designed to mimic normal business transactions so they don’t raise suspicions.
  • Criminals often send fraudulent emails while executives are traveling so it’s more difficult to verify information.
  • Victims report that IP addresses frequently trace back to free domain registrars.