How to Identify Business Email CompromiseBEC “Red Flags” to Watch for
Common Signs of a BEC Attack
Business email compromise attacks are less about technical hacking and more about sophisticated social engineering. So, traditional rules-based fraud prevention tools are often ineffective at preventing them.
Fake workflows, imparting a sense of urgency, odd requests, and suspicious email addresses or domain names are all “red flags” for BEC attacks.
Business Email Compromise
The FBI calls business email compromise “the $26 billion dollar scam.” How is that possible? This article will take a close look at BEC scams to explain what they are, why they’re such an expensive problem, and also how you and your employees might be targeted.
To combat this threat, you and your employees will need to be intimately familiar with the red flags that could indicate a BEC scam in progress. Here are some to consider:
Exploited Relationships
Be wary of emails requesting unusually sensitive information that appear to come from a trusted colleague, vendor, or partner, especially if the requests deviate from established procedures or seem slightly out of character. For example, unexpected requests for gift card purchases or changes to payroll direct deposit information should raise immediate red flags.
Unusual or Fake Workflows
Scammers may try to mimic internal processes by sending emails that look like standard requests (e.g. password resets, document sharing, application access requests). Question emails that initiate a workflow you didn't expect or that ask for credentials like your username or password.
Suspicious Tone or Urgency
Look for emails using language designed to manufacture a sense of urgency, authority, or familiarity to bypass critical thinking. Pay attention to suspicious subject lines like:
- “Hello, [FIRST NAME]”
- “Immediate Action”
- “Payment”
- “Overdue”
- “Request”
Remember: unlike phishing attacks, BEC scams rely on persuasive language, rather than malicious links or malware, to prompt action.
Unexpected Attachments
It’s common for many legitimate business communications to include attachments. Still, always pause and think before downloading unsolicited documents, spreadsheets, or data, even if they appear to come from a known source. These attachments may be designed to lend legitimacy to a fake request rather than containing malware (though that's also a real risk).
Use of Unofficial Accounts or Free Software
Legitimate emails will come from official company accounts, so beware of communications that end with gmail.com or yahoo.com. While these emails are fine for personal use, that’s exactly why they’re suspicious in an official capacity. Also, be on the lookout for attachments that come from free file-sharing sites like Box or Google Drive, unless your business uses these services as well and the files are hosted on your company’s shared drive.
Odd Requests From Executives
BEC scammers may specifically impersonate the CEO or another high-level executive to exert pressure upon finance or accounting staff into making urgent wire transfers or sharing sensitive data. No matter how seemingly urgent the message appears to be, train staff to verify all requests through a secondary, established communication channel, instead of replying to the email directly.
Communication from (Fake) Legal Counsel
An unsolicited email or phone call from someone claiming to be a lawyer or legal representative requesting personal or company information. Be especially wary of messages targeted at lower-level employees or new hires unfamiliar with legal contacts.
Fraudulent Vendor Invoices
Be wary of emails, particularly those targeting employees who handle accounts payable, that contain invoices or requests to change payment details for existing vendors. BEC scammers may exploit established vendor relationships, posing intentionally as overseas or long-distance suppliers who bill frequently under the hopes that employees won't verify the requests for payment.
Unusual Email Addresses or Domain Names
Scammers may use email addresses or slightly altered domains that closely resemble legitimate company or vendor addresses. Red flags include emails coming from a .co instead of a .com domain, or addresses that contain a capital “I” instead of a lowercase “L”. Be suspicious if a known contact is suddenly using a personal email or a domain you don't recognize for official requests, and remember that email addresses can appear entirely legitimate via spoofing techniques.
Last-Minute Changes to Payment Instructions
Virtually all valid requests for payment will have clear, unambiguous, and unchanging wire or ACH instructions. If a payee unexpectedly changes their payment details last minute, that should raise a red flag. At a minimum, confirm the change with the requesting party using an established secondary channel.
Urgent Requests For Payment
You should have clearly-defined payment terms with all of your external vendors and payees. If you receive a request for an immediate payment, that should raise a massive red flag, since few legitimate vendors would be willing to risk their reputation by unprofessionally asking for payments to be accelerated ahead of the previously agreed-upon timeline.
Lack of Standard Communication Practices
Larger merchants may have procedures for verifying payments. For example, wire instructions may be sent by email but confirmed via live call. If you receive an email asking you to deviate from those standard practices, you should disregard the request and note down the email as potentially fraudulent.
Everyone in an organization is responsible for cybersecurity best practices.
Are you confident that your employees are getting the training they need?
Request a Demo
How to Respond to a BEC Attack
Responding to a suspected BEC attack involves four basic steps: containing the threat, evaluating the damage, contacting any parties affected, and reporting the incident to authorities so they can take further action.
You’ll need to respond rapidly and deliberately if you want to contain the fallout from a business email compromise incident. Try taking the following steps immediately after an attack is discovered:
