Additional menu has not been selected. Do this in the Theme Options → Header → Additional Menu.

The Emerging Cyber Risk for Businesses: Business Email Compromise (BEC)

Everyday seems to bring news of the latest high-profile cyber threat or attack. And it’s not just the big name corporations that are at risk for a cyber security issue. Today’s highly sophisticated cyberattacks target all industries and sectors, and can impact organizations from nonprofits, schools and local businesses all the way up to global corporations and government entities. One recent trend in cyberattacks, particularly in the realm of financial fraud, can impact businesses both large and small, and can leave a harmful and lasting impact on these businesses and customers. It’s called business email compromise, or BEC, and is a sophisticated scam that compromises legitimate business email accounts to conduct unauthorized transfers of funds or requests confidential information to be used for identity theft. Cisco’s annual Midyear Cybersecurity Report indicates this trend is on the rise.[1]

BEC by the numbers:

  • $5.3 billion — the estimated amount stolen due to BEC fraud between October 2013 and December 2016
  • 40,000 — the number of organizations in all 50 states and in over 131 countries around the world impacted
  • 2,370% — the percentage increase in identified exposed losses between January 2015 and December 2016[2]

What is BEC?

According to IBM’s X-Force Threat Intelligence Index, BEC is a simple and highly profitable social engineering attack.[3] In most cases, attackers send an email pretending to be a company official either from a domain similar to the victim’s domain, or in more sophisticated cases, by actually taking over the account of the impersonated executive and mimicking their writing style. The email often comes as an urgent request — a wire transfer of funds, a request for payment or the sending a W-2 form, or leaking other critical data that attackers use to proliferate the scam through identity theft. The attackers will often use the method most commonly associated with their victim’s normal business practices to avoid raising red flags.

Some common trends and opportunities for BEC scams include:

  • Real estate transactions — requesting fraudulent changes in payment types (check to wire transfer) or a change in payment account
  • Interactions with vendors and suppliers — changing, redirecting or requesting fraudulent payment or invoices
  • W-2 and Personally Identifiable Information (PII) requests — this past tax season, for example, saw a significant uptick in BEC activity as attackers use events like tax-filing deadlines to prompt leaking confidential personal information.

What can businesses do to protect themselves and their customers from this trend?

Here are a few tips from the Internet Crime Complaint Center (IC3), a division of the FBI dedicated to internet crime like cyberattacks:

  • Avoid free web-based email accounts for business matters.

          Establish a company domain name and use it to establish company email accounts.

  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Beware of sudden changes in business practices.

           If a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been through company email, the request could be fraudulent.

  • Verify and confirm requests for changes in payment location or transfer of funds.

          Use two-factor authentication for requests and use previously known numbers, not the numbers provided in the email request for phone verification.

A complete list of self-protection strategies is available on the United States Department of Justice website in the publication titled “Best Practices for Victim Response and Reporting of Cyber Incidents.”

Cybersecurity is a threat that is here to stay as businesses and individuals increasingly rely on the internet and technology in all aspects of their lives. And while the threat is real and increasing, so is the education, resources and tools available to you to help detect and respond to cyber threats. Protecting your business and the sensitive information of your employees, customers and vendors is of critical importance in ensuring the long-term health and success of your business.

[1]Cisco, “2017 Midyear Cybersecurity Report,” July 2017.

[2]Federal Bureau of Investigation – Internet Crime Complaint Center (IC3), “Business E-mail Compromise E-mail Account Compromise The 5 Billion Dollar Scam, Public Service Announcement,, May 4, 2017.

[3]IBM Security, “IBM X-Force Threat Intelligence Index 2017,” March 2017.