Business Email Compromise

BEC Scams: A Growing Threat to Business Security

Business Email Compromise (BEC) scams have become an increasingly common threat to businesses worldwide. These scams involve cybercriminals posing as a company executive or vendor and requesting payments or sensitive information from employees. This blog post will explore the growing threat of BEC scams, what they are, and how IT security and risk management professionals can protect their businesses against them.

What is a BEC Scam?

A BEC scam is a cybercrime involving bad actors using stolen credentials to defraud businesses. This attack typically targets individuals with access to sensitive financial information, such as CFOs or accountants, and can cause significant damage to the victimized companies.

BEC scams are a costly problem for businesses worldwide. Between 2016 and 2019, global losses due to these types of attacks exceeded $26 billion.

BEC scams often begin with credential compromise through phishing email messages or malware-infected attachments. Once possessing valid login credentials, attackers can impersonate company executives via email and request fraudulent wire transfers or gift card purchases. Businesses must be vigilant in training staff on cybersecurity best practices and implementing multi-factor authentication measures to prevent BEC scams from occurring.


BEC, or Business Email Compromise, is a type of cybercrime that can result in serious financial damage to businesses. Also known as CEO fraud or whaling attacks, bad actors impersonate high-level executives to manipulate employees into making unauthorized wire transfers or revealing sensitive information. This often involves credential compromise and sophisticated social engineering tactics. BEC scams are rising and have become a growing threat to business security worldwide.

Types of BEC Scams

Fake invoice scams, data theft scams, and attorney impersonation scams are some of the most common types of BEC (Business Email Compromise) frauds orchestrated by bad actors. These cybercriminals employ different tactics to defraud companies and cause damage through credential compromise or data breaches.

  • Fake Invoice Scams:
  • Scammers send fake invoices posing as trusted vendors and request payment to a fraudulent account.
  • Data Theft Scams:
  • Scammers pose as an executive and request confidential information from an employee such as login credentials or financial data.
  • Attorney Impersonation Scams:
  • Scammers pretend to be lawyers representing the company in a legal matter and demand payment for settlement fees.

These schemes rely on social engineering techniques that trick victims into believing they are communicating with someone legitimate. As BEC continues to evolve, it is crucial for IT security and risk management professionals to stay informed about these types of attacks so that they can take preventive measures against them.

How BEC Scams Work

BEC scams are a pervasive and growing threat to business security. Bad actors use publicly available information, such as social media platforms, to select their targets. They then send an email that appears legitimate using spoofed email addresses that often require urgent action by the recipient (e.g., wiring funds immediately). If successful, the money is wired directly into the criminal’s account. Credential compromise can also occur during this process leading to further damage and defraudment for businesses.

Cybercrime has become increasingly sophisticated over time, making it essential for IT security and risk management professionals to stay informed about emerging threats like BEC scams. Taking proactive measures such as employee education on how to recognize these types of attacks can help prevent significant financial losses and damage to a company’s reputation.

The Growing Threat of BEC Scams

BEC scams, also known as business email compromise scams, are becoming an increasingly serious threat to businesses worldwide. These scams involve the use of fraudulent emails that appear to come from trusted sources such as company executives or vendors in order to trick employees into transferring money or sensitive information. The consequences can be devastating; companies may lose millions of dollars and suffer reputational damage.

One reason BEC scams are so dangerous is their sophistication. Attackers take the time to research targets and create convincing emails that appear legitimate at first glance. This makes it difficult for even savvy employees to identify a scam before it’s too late. As a result, IT security and risk management professionals must remain vigilant against this growing threat by implementing comprehensive cybersecurity measures like two-factor authentication and employee training programs on how to recognize potential BEC scams.

Statistics and Examples

BEC scams are a costly problem for businesses worldwide. Between 2016 and 2019, global losses due to these types of attacks exceeded $26 billion. In the US alone, there were over 23,000 reported BEC incidents in 2020. These statistics highlight the need for increased awareness and vigilance when it comes to protecting sensitive information from cybercriminals.

Examples of high-profile BEC scams serve as cautionary tales for organizations that may be vulnerable to attack. The Ubiquiti Networks incident is one such example where attackers stole $46 million by impersonating executives and requesting wire transfers from employees. It’s clear that no company is immune to this threat, making it crucial for businesses of all sizes to take proactive measures against BEC scams before they strike.

Why BEC Scams are a Growing Threat

Sophisticated social engineering tactics used by scammers are one reason why BEC scams are becoming a growing threat to business security. Attackers use various techniques such as spoofing and impersonation to make their emails appear legitimate, tricking employees into sharing sensitive information or making fraudulent wire transfers. This type of attack is particularly dangerous because it targets human vulnerabilities, which can be difficult to mitigate with technical controls alone.

In addition, the increasing use of cloud-based email services that can be easily compromised has contributed to the rise in BEC scams. These services have simplified access for attackers who can compromise employee accounts without being noticed. This highlights the importance of implementing additional security measures such as multi-factor authentication and monitoring systems that detect suspicious activity.

Lastly, lack of employee awareness about these types of attacks makes them more vulnerable targets for BEC scammers. Businesses need to prioritize cybersecurity training programs that educate employees on how to recognize and respond appropriately to phishing attempts and other types of social engineering attacks. By raising awareness among staff members about the risks involved in these types of scams, businesses can significantly reduce their risk exposure from this growing threat.

How to Protect Your Business from BEC Scams

To protect your business from BEC scams, it is crucial to invest in employee education and training. Educate employees on how to identify suspicious emails and verify requests for sensitive information. Provide regular security awareness training to keep them updated about the latest threats and best practices.

In addition to education, technology solutions such as email filters and two-factor authentication can also help prevent BEC scams. Implementing these solutions can add an extra layer of protection by detecting fraudulent emails or requiring additional verification before granting access to confidential data.

Employee Education and Training

To prevent BEC scams from infiltrating businesses, employee education and training are key. One of the most important lessons is identifying suspicious emails. Employees should be trained to recognize red flags like unfamiliar senders, odd subject lines or requests for sensitive information. Another crucial step is verifying payment requests with known contacts – especially those that involve large sums of money – by phone or in person before proceeding with any transactions. Finally, all employees should be encouraged to report any suspected BEC scams to their IT department immediately so that appropriate measures can be taken to protect the company’s assets and reputation.

Technology Solutions

Technology solutions are crucial in preventing BEC scams from happening. Implementing anti-phishing software is one effective way to protect email accounts against phishing attempts that can lead to BEC attacks. Two-factor authentication for email accounts adds an extra layer of security, making it harder for cybercriminals to gain unauthorized access.

Monitoring network traffic for unusual activity is another essential measure that IT security professionals should take into consideration. By keeping a close eye on suspicious activities within the company’s network, malicious actions can be detected and prevented before they cause any damage.

  • Implement anti-phishing software
  • Use two-factor authentication for email accounts
  • Monitor network traffic for unusual activity

Establishing Protocols and Procedures

Large financial transactions require careful consideration and attention to detail. To ensure that these transactions are legitimate, it is important to establish a protocol requiring multiple levels of approval for such transfers. This process can help reduce the risk of fraudulent activity and protect your company’s financial resources.

In addition, creating a system to verify new vendor information before sending payments is crucial in preventing Business Email Compromise (BEC) scams. By regularly reviewing and updating security policies, you can stay one step ahead of scammers who seek vulnerabilities in your business operations. These protocols and procedures should be an integral part of your overall IT security strategy, helping safeguard your organization from the growing threat posed by BEC scams.

How Bolster Can Help

Bolster’s domain monitoring solutions and other defensive strategies will ensure your company has true domain security. Bolster balances domain acquisition with monitoring to reduce the likelihood of cyberattacks and manage security costs.

Additionally, Bolster will remain proactive and monitor the security threat landscape to keep your domain safeguarded. With Bolster’s help, your brand’s reputation will remain protected.

Request a demo of our domain monitoring software today, or start with a complimentary and customized Domain Risk Report to see what domain risks we detect for your organization.

Also, check out our community tool CheckPhish