ScamLens
Critical Average Loss: $50,000 Typical Duration: 1-30 days

Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) scams represent one of the most costly fraud schemes targeting organizations worldwide. In these attacks, criminals research company hierarchies and communication patterns, then use spoofed or compromised email accounts to impersonate executives, often the CEO or CFO, and request urgent wire transfers or sensitive information. The FBI's Internet Crime Complaint Center (IC3) reported that BEC scams caused over $2.7 billion in losses across nearly 21,000 complaints in 2023, with average losses exceeding $50,000 per incident. What makes BEC particularly dangerous is that it exploits legitimate business processes—most organizations process wire transfers regularly—making the fraudulent request appear routine to busy accounting staff. Scammers often conduct weeks of reconnaissance, monitoring email patterns, financial cycles, and personnel changes before striking, which is why even security-aware employees can fall victim.

Common Tactics How to Identify How to Protect Yourself Real-World Examples Frequently Asked Questions

Common Tactics

  • Executive impersonation via spoofed email: Scammers create email addresses that closely mimic the CEO or CFO's real address, differing by only one or two characters ('ceo@comapany.com' instead of 'ceo@company.com'), or they compromise a legitimate internal email account to send requests that appear to come directly from company leadership.
  • Urgent request framing with fabricated scenarios: Criminals pressure employees by claiming the wire transfer is needed for a confidential acquisition, emergency vendor payment, legal settlement, or time-sensitive business opportunity that cannot be discussed with other staff members due to confidentiality or competitive concerns.
  • Reconnaissance and reconnaissance: Before launching the attack, scammers spend weeks or months studying the target company's organizational structure, financial processes, employee names, and recent news to craft requests that align with normal business activities and reference realistic scenarios.
  • Request for wire transfer to unexpected accounts: The scammer directs the employee to send funds to a bank account that differs from the vendor's normal account, claiming the vendor temporarily changed banks, the parent company has a new payment portal, or the funds should go to an escrow account held by a law firm.
  • Suppression of verification attempts: When questioned, the fake executive claims they are in back-to-back meetings, traveling internationally, dealing with a personal emergency, or cannot discuss details over email, deliberately preventing the employee from calling to verify the request through normal channels.
  • Follow-up urgency and distraction tactics: Scammers send follow-up emails claiming the deal is falling apart, competitors are ready to acquire the target, or the vendor will work with another company unless payment is made immediately, maintaining pressure and preventing reflection.

How to Identify

  • Unexpected wire transfer request from company leadership claiming urgency or confidentiality: Legitimate executives rarely use email to request urgent wire transfers without follow-up verbal confirmation or established procurement procedures, especially for unusual payment destinations.
  • Email address that is similar but not identical to known executive addresses: Examine the full email address carefully—scammers often change one letter or use a similar domain name that appears legitimate at first glance but differs from the company's known domain.
  • Request to send funds to an account different from the vendor's established payment history: If a regular vendor suddenly asks for payment to a new bank account, especially an international account, this is a major red flag that should trigger independent verification.
  • Pressure to bypass normal approval procedures or keep the request confidential: Legitimate business transactions follow established authorization workflows; requests to circumvent these controls or hide the transaction from other executives indicate fraudulent intent.
  • Vague language about the reason for transfer combined with refusal to discuss details: Scammers provide minimal specifics about the purpose of the transfer and refuse to elaborate, citing confidentiality, while legitimate business requests typically include detailed purchase orders, invoices, or contracts.
  • Inconsistent communication style or grammar errors in emails from executives: If emails from a company executive contain unusual phrasing, grammatical errors, or a tone that differs from their normal communication style, this may indicate a compromised or spoofed account.

How to Protect Yourself

  • Establish a wire transfer verification protocol requiring voice confirmation: Before processing any wire transfer request, require that employees call the requestor using a phone number from the company's internal directory (not a number provided in the email) to verbally confirm the request, amount, and payment destination.
  • Implement multi-factor approval for wire transfers above a threshold amount: Require that wire transfer requests above a specified dollar amount ($10,000, $25,000, or higher depending on company size) be approved by at least two authorized personnel, with verification conducted independently by each approver.
  • Use email authentication technologies: Deploy SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to prevent spoofing of your own domain, and train employees to recognize when these protections are absent in external emails.
  • Conduct regular training on BEC tactics for finance, accounting, and executive staff: Provide annual or semi-annual security awareness training that includes real examples of BEC scams, instruction on verification procedures, and simulation exercises where employees practice identifying suspicious requests.
  • Maintain a current list of authorized payment destinations and verify all changes through secondary channels: Keep a documented list of all regular vendors and their authorized bank account information, and require that any changes to payment destination be verified directly with the vendor using a known phone number before processing.
  • Monitor for domain spoofing and set up email alerts for suspicious activity: Use email security tools that flag emails from external addresses that closely resemble internal addresses, and configure alerts for unusual wire transfer activity, such as transfers to new beneficiaries or international destinations not typical for your company.

Real-World Examples

A mid-sized manufacturing company's accounting manager received an email from what appeared to be the CEO requesting an urgent wire transfer of $87,000 to a law firm for a confidential acquisition closing that day. The email came from 'ceo@manufacturingcorp.com' (actually 'ceo@manufacturingcorps.com' with an extra 's'), and the manager, under time pressure, processed the transfer without calling to verify. When the CEO's actual assistant followed up asking about the wire transfer the next morning, the fraud was discovered, but the funds had already been transferred through intermediary accounts in Eastern Europe and were unrecoverable.

An accounts payable employee at a healthcare services company received an email from the CFO requesting immediate payment of $143,000 to a new vendor for IT infrastructure upgrades. The email emphasized that the deal was closing that day and could not be discussed with other staff due to confidentiality. The employee processed the wire to the provided account but later discovered that no legitimate IT project existed and the CFO's email had been compromised through a phishing attack. The scammer had spent two weeks monitoring the company's email communications to identify payment patterns and key personnel.

A financial services firm's controller received multiple emails over three days from what appeared to be the CEO requesting wire transfers totaling $287,000 for an emergency vendor payment and legal settlement. Each email included specific internal references and terminology that suggested legitimate knowledge of company operations. The controller grew suspicious when a follow-up request arrived from the 'CEO' asking that the transaction be completed 'quietly' without notifying the CFO. Investigation revealed the attacker had compromised a junior marketing employee's email account and used it to study the company's internal communications for two weeks before launching the attack.

Frequently Asked Questions

How can I tell if an email from my CEO or executive is actually legitimate?
Never reply to an email requesting a wire transfer without independently verifying the request through a known phone number from your company directory. Call the executive directly, or ask their assistant to confirm. Legitimate executives understand and expect this verification process, especially for unusual or large transfers. Do not use contact information provided in the suspicious email, as that may also be compromised.
What should I do if I've already sent money to a fraudulent wire transfer?
Contact your bank immediately and request that they initiate a recall of the wire transfer. While recovery is difficult after funds clear, some banks can block transfers before they reach the destination account. Simultaneously, report the fraud to your company's security and legal teams, and file a report with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. Document all details of the transaction and communication for law enforcement.
Can email spoofing defeat our email security systems?
Email spoofing can bypass basic security measures, especially if your company has not implemented SPF, DKIM, and DMARC authentication protocols. However, even with these tools in place, attackers can compromise legitimate employee accounts or create lookalike domains that appear nearly identical to your domain. This is why voice verification remains the most reliable protection against BEC scams, as it confirms identity through direct communication.
Our company processes dozens of wire transfers daily. How can we maintain security without slowing down operations?
Implement tiered verification procedures based on transfer amount and frequency. Small, routine transfers to known vendors may require only email verification, while large transfers or new payment destinations should always require voice confirmation from at least two authorized personnel. Use pre-approved vendor lists and payment accounts to expedite routine transactions while adding checkpoints for unusual requests.
How do scammers research my company's structure and processes?
Attackers gather information from LinkedIn, company websites, press releases, SEC filings, social media, and publicly available organizational charts. They may also subscribe to company newsletters or review published emails leaked in previous data breaches. Some criminals even conduct phishing attacks on company employees to harvest email addresses and communication patterns. This is why companies should limit publicly available organizational information and train employees to be cautious about what information they share online.

Think you encountered this scam?