What is Business Email Compromise?Is the Person on the Other End of That Email Who They Claim to be?
What is a Business Email Compromise Scam? Definitions & Overview
You get an email from a trusted party. Maybe your boss, or a coworker. Then, you find out weeks later that the person you’d been corresponding with was never who they claimed to be. You’ve just been hit with a business email compromise scam.
A typical BEC attack involves four basic steps: identifying a target, gaining access to the target account, conducting the attack, and then disappearing with the desired funds or data. But, how does that really work? Let’s get into it.
Business Email Compromise
The FBI calls business email compromise “the $26 billion dollar scam.” How is that possible? This article will take a close look at BEC scams to explain what they are, why they’re such an expensive problem, and also how you and your employees might be targeted.
What is a Business Email Compromise Scam?
- Business Email Compromise
Business email compromise, commonly abbreviated to BEC, is a scam conducted through email. With a BEC attack, an email will appear to come from a legitimate source within the business. However, the sender is an imposter attempting to trick other members of the organization to divulge sensitive information.
[noun]/biz • nəs • ē • māl • käm • prə • mīz/
Business email compromise is not a conventional form of transaction fraud. Nonetheless, it's one of the costliest business scams active today.
Attackers that use BEC tactics exploit the fact that professionals and companies rely heavily on email for interpersonal communication to conduct business. In many cases, the scammer makes a request that could seem reasonable at first glance. The target sees the name on the email and, without thinking twice, provides the information requested.
To illustrate, imagine that an employee gets an email from one of your executives. The message says to buy a bundle of gift cards for employee rewards. Then, once the purchase has been made, the “executive” requests the serial numbers in order to email them out immediately... but then disappears with the gift cards. That’s just one example.
While directors and people in the C-Suite are common targets, scammers may potentially attack anyone within your company. A simple email could lead to losses in the thousands or even millions of dollars.
How Do BEC Scams Work?
A typical BEC attack involves four basic steps: identifying a target, gaining access to the target account, conducting the attack, and then disappearing with the desired funds or data.
Contrary to other scams, business email compromise attacks don't require advanced technical skills.
Scammers don’t need to be savvy hackers; they can simply dig through public sources like LinkedIn to uncover the information they need to launch an attack, like email addresses, professional titles, and other business details. This low barrier to entry means that BEC scams yield significant returns with relatively little effort.
In a typical BEC attack, fraudsters will do the following:
The last point is why a rapid response to cybersecurity incidents is so critical: a delay of just a few hours can mean the difference between recouping or losing millions of dollars.
