When it comes to cybersecurity threats, phishing and malware often steal the spotlight. But there’s another growing threat that targets trust — Business Email Compromise (BEC) scams.
BEC is a form of cybercrime where attackers impersonate a trusted executive, vendor, or partner to trick employees into transferring money or sensitive data. These scams cost businesses billions annually, with small and medium-sized companies being prime targets due to weaker email security measures.
Let’s explore how these scams work, real-world examples, and actionable steps to secure your business.
What Is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a scam where cybercriminals gain access to or spoof legitimate business email accounts to deceive employees into performing unauthorized actions — usually wiring money or sharing sensitive information.
Common BEC Tactics
- CEO Fraud: Impersonating the CEO to request urgent wire transfers or gift card purchases.
- Invoice Scams: Sending fake invoices from lookalike vendor email addresses.
- Account Takeover: Hacking a legitimate email account and using it to request payments.
- Payroll Diversion: Trick HR or finance staff into changing an employee’s direct deposit information.
- Attorney Impersonation: Pretending to be legal counsel to pressure staff during “confidential” cases.
Real-Life Example
Case: Ubiquiti Networks (2015)
Hackers tricked Ubiquiti employees into sending $46.7 million to fraudulent overseas accounts by impersonating executives using spoofed emails. The company only recovered part of the money — and it became a lesson in email verification and awareness training.
Why BEC Scams Work
- They rely on trust and authority. A request from the “CEO” often isn’t questioned.
- Emails look legitimate. Attackers use domains like ceo@company.co instead of ceo@company.com.
- No malicious attachments. Unlike typical phishing, BEC scams often use plain text, bypassing antivirus filters.
- They exploit urgency. “Send this payment NOW” creates panic and lowers vigilance.
Common BEC Scenarios
Scenario | Description |
Fake Wire Transfer | CFO gets an email from “CEO” requesting urgent payment. |
Vendor Invoice Scam | Fake invoice sent using a spoofed supplier domain. |
Payroll Redirect | HR is tricked into changing an employee’s salary account. |
Gift Card Requests | CEO asks an assistant to “quickly buy gift cards for clients.” |
How to Prevent BEC Attacks
- Use Multi-Factor Authentication (MFA)
- Protect all email accounts with MFA to prevent unauthorized logins.
- Use app-based authenticators instead of SMS where possible.
- Implement DMARC, DKIM, and SPF
- These email authentication protocols help prevent domain spoofing.
- Free tools like dmarcian or MXToolbox can check your email security settings.
- Verify All Payment Requests
- Create a call-back policy — confirm large or unusual transfers via phone or in-person.
- Never approve financial transactions based solely on email.
- Train Your Team Regularly
- Conduct phishing simulations to teach staff how to spot fake emails.
- Encourage a “pause and verify” culture for any urgent or unusual requests.
- Monitor Email Forwarding Rules
- Hackers often set up hidden rules to auto-forward emails to external accounts.
- Tools like Microsoft 365 Security & Compliance Center can detect this.
- Use Email Security Gateways
- Affordable tools like Proofpoint Essentials, Barracuda Email Security, or Microsoft Defender for Office 365 filter suspicious messages.
- Limit Public Info
- Reduce the amount of sensitive company data (e.g., CEO travel plans) shared publicly — attackers use this to craft believable scams.
Signs of a BEC Scam
- Email domain slightly altered (@compnay.com instead of @company.com).
- Unexpected financial requests, especially with urgency.
- Poor grammar, unusual tone, or requests that are out of character.
- Changes in bank account details for vendors or partners.
Free or Low-Cost Tools for Email Security
Tool | Function |
HaveIBeenPwned | Check if company emails have been leaked in breaches. |
DMARC Analyzer (Free tier) | Monitor domain spoofing attempts. |
Google Workspace Security | Detects forwarding rules and suspicious login locations. |
Microsoft Defender for Office 365 | Blocks phishing and impersonation emails. |
Final Word: Trust but Verify
Email is one of the most exploited attack surfaces in modern business. While trust is vital in any company, it must be balanced with verification and controls.
A single spoofed email could cost you millions — or worse, your reputation.
Secure your inbox, train your team, and always verify before you comply.
