Business email compromise (BEC) – also known as email account compromise (EAC) – takes advantage of the fact that so many of us use email to conduct business. In a BEC scam, criminals send an email message that appears to come from a known, trusted source making a legitimate request.
This type of scam remains one of the costliest cybercrimes for businesses of all sizes, especially common in investment banking, as fraudsters become more sophisticated and able to circumvent established preventative measures. In 2022, the FBI’s Internet Crime Complaint Center received 21,832 BEC complaints with adjusted losses over $2.7 billion. The FBI also saw a slight increase in the targeting of victims’ investment accounts instead of traditional bank accounts.1
So, why is BEC becoming such a large and looming threat? According to the FBI’s Internet Crime Report, BEC is difficult to detect as it doesn’t use malware or malicious URLs that can be analyzed with standard cyber defenses. It relies on impersonation and social engineering techniques (phishing is often a pre-cursor to a BEC attack) to trick people into interacting with the attacker.
BEC scams are popular because they are: (1) simple to execute, (2) don’t require advanced coding skills or complex malware and are (3) hard to detect with software protections.
According to the FBI, there are five major types of BEC:
A bad actor might leverage some of these tactics to carry out BEC:
While BEC scams are hard to detect, here are some examples of best practices/tips that might help avert an incident:
Technological controls, like firewalls and antivirus software, cannot defend against BEC scams. Of course, these are good basic controls to help prevent cyberattacks. However, you can limit the damage of BEC attacks by following some of the above tips and training employees how to spot BEC red flags (e.g., high level executives asking for unusual information, urgent requests, requests that bypass normal approval channels, and requests that ask individuals not communicate with others).
If you believe you/your company may have been a victim of a BEC crime, contact your financial institution and your local FBI office.
At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.