The Explosion of Business Email Compromise (BEC) Scams
The FBI recognizes at least six types of activity asBusiness
Email Compromise (BEC) fraud. The types differ by who appears
to be the email sender:
1.The CEO directing
the CFO to wire money to someone.
suppliers asking that invoice payment be made to a different bank
requesting copies of employee tax information such as W-2 forms in
companies or lawyers redirecting proceeds from sales of homes or
other real estate into a new account.
seeking to have their pay deposited into a new bank account.
6.An employer or
clergyman appealing to the recipient to buy gift cards on their
How often does BEC occur
BEC fraud is the biggest source of losses reported to the
FBI’s Internet Crime Complaint Center (IC3) and has been for several
IC3 receives complaints from all 50 states and 150
countries, but most come from U.S. victims. Canada’s Competition Bureau
has also warned about BEC fraud. The Canadian Anti-Fraud Centre
collects complaints on this subject. The complaints received may be
only the tip of the iceberg; much of this fraud is not reported.
Anatomy of a Business Email Compromise Fraud
There are essentially three steps to operating a BEC fraud.
1.Fraud gangs need the names of
people within an organization, their job function and their email
username and password.
2.They must send emails directly to
people, impersonating a trusted superior or partner and seeking money.
3.They need a way to obtain money
sent by victims. Each of these are specialized functions, and fraud gangs
may even hire third parties to help them with these efforts.
What can you do to protect your organization from BEC fraud?
All organizations face a serious risk of BEC fraud, and the
fraud gangs are very smart and innovative. They need only succeed in a
small number of their attempts to make this fraud profitable. And
organizations that have not suffered a loss may believe the steps they
have been taking are effective, even though the frauds are evolving and
Some businesses may be concerned that money spent on IT
precautions is simply additional overhead. But BEC fraud prevention is
just as important as door locks, fences and other efforts to protect
However, we can’t rely solely on technology to prevent
phishing emails. We need to learn how to recognize and avoid responding
to them. Fortunately, there are several key steps that are free or cost
very little and that will go a long way in preventing BEC fraud.
What should you do if your organization has lost money to a
·If an organization finds that it has
been a victim of a BEC fraud, it needs to immediately call its bank to stop
the payment and report it to the FBI in the U.S. or the Canadian Anti-Fraud
Centre in Canada. If a report is filed within 48 hours, there is a chance
the money can be recovered.
·Complain to the FBI’s Internet Crime
Complaint Center. IC3 also asks people to report unsuccessful BEC attempts
as well. Information from attempts may help establish patterns or identify
mule bank accounts.
·Complain to the Canadian Anti-Fraud
Centre: 1-888-495- 8501.