Securing Our Communities: Business Email Compromise

Each week, the NTIC Cyber Center highlights a different social engineering scam impacting individuals and communities within the National Capital Region. We encourage everyone to share this information with friends, colleagues, and loved ones to help reduce their risk of becoming a victim of financial fraud and identity theft.

Business Email Compromise (BEC) – also known as a CEO scam or whaling – is a type of phishing scheme in which the perpetrator conducts online reconnaissance against a target organization and then uses various social engineering techniques to try and convince employees within that organization to divulge sensitive personal or financial information. This scheme is successful when the perpetrators can elicit an emotional response from their targets that overrides logic and any security procedures the organization already has in place.

Oftentimes, the perpetrator will masquerade as a high-ranking executive within an organization, either through email or over the phone, in the hopes that lower-level employees would be too afraid to question the request being made. These schemes also create a sense of urgency to try and prevent victims from taking the time to verify the legitimacy of the request.

The NTIC Cyber Center encourages the public to recognize and understand how these scams work to reduce the risk of becoming a victim. The following are the five most common type of BEC scams:

  • Invoice Scheme: The perpetrator poses as a legitimate vendor or supplier that has an established business relationship with the targeted organization and then sends fraudulent invoices that instruct victims to make payments to an unauthorized account.

  • CEO Fraud: The perpetrator poses as a high-level executive within an organization, such as a CEO or CFO, to convince an employee to transfer money into an unauthorized account, usually creating a sense of urgency to convince victims to forgo standard security or verification procedures.

  • Account Compromise: The perpetrator gains unauthorized access to employee email accounts and uses them to request fraudulent payments from vendors saved as contacts within the accounts. This method is also be used to intercept legitimate communication between two parties to divert funds and collect sensitive information.

  • Attorney Impersonation: The perpetrator masquerades as an organization’s attorney to divert funds from the organization or access confidential information.

  • Data Theft: The perpetrator attempts to obtain employees’ sensitive personal information or tax data for malicious use by posing as a member of an organization’s human resources department or a manager.

BEC scams can cripple businesses by damaging brand reputation, customer trust, and profits and can cause financial hardship for victimized employees. Latest estimates show a global loss of $12.5 billion since 2018 with yearly attempts on the rise. Perpetrators primarily target human resources and accounting departments within organizations and the real estate sector. To reduce the risk of you or your organization becoming victimized by a BEC scam, familiarize yourself with the following prevention and mitigation strategies:

  • Be wary of emails that request an immediate wire transfer of funds. Use an alternate method of communication to contact the sender, such as by phone or via an in-person meeting, to verify legitimacy if you suspect that an email request is fraudulent.

  • Improve awareness of these types of campaigns among personnel and update your organization’s policies and procedures to ensure that sensitive personal and financial information is not readily shared without proper authorization.

  • Implement a policy requiring a minimum of three people to approve large financial transactions and any changes made to funding and payment methods.

  • Enable multifactor authentication on business email accounts and monitor accounts for suspicious activity.

If you suspect that you have fallen victim to a BEC scam, report the incident immediately to your local police department, the FBI, the US Secret Service, and the IRS. Taking swift action immediately after an incident can increase the likelihood of retrieving stolen funds and thwarting attackers’ attempts to perpetuate the scam throughout your organization.

The NTIC is governed by a privacy, civil rights, and civil liberties protection policy to promote conduct that complies with applicable federal, state, and local laws. The NTIC does not seek or retain any information about individuals or organizations solely on the basis of their religious, political or social views or activities; their participation in a particular noncriminal organization or lawful event; or their race, ethnicities, citizenships, places of origin, ages, disabilities, genders, or sexual orientations. No information is gathered or collected by the NTIC in violation of federal or state laws or regulations.