Business Email Compromise

Business Email Compromise (BEC) Scams are a type of email fraud where an employee is tricked into transferring money or sensitive information to an attacker impersonating someone else.


What are BEC Scams?

In a BEC scam, an attacker will send a fraudulent email to an employee of an organization, impersonating someone that the they should generally trust. For instance, the criminal can pretend to be a boss, colleague, or vendor and ask the recipient to make some changes to banking details, make a wire transfer, or do something else that would ultimately cause harm to the business.

BEC attacks rely on social engineering techniques to trick people. For this reason, they are not as easy to detect as other online crimes that rely on malicious software and URLs.  Additionally, since BEC attacks are highly targeted, investigating and remediating the attacks is difficult and time-consuming.

Learn more in our blog: What are BEC (Business Email Compromise) Scams?

How can businesses protect themselves from BEC attacks?

Organizations should leverage multiple forms of defense against BEC attacks to keep up with the growing and evolving landscape. The top five most effective strategies in combating against BEC scams include:

  1. Tracking Spoofed Domain with MX records
  2. Leveraging URL Sandboxing
  3. Using SPF, DKIM Signatures, and a DMARC Policy
  4. Automating Detection and Takedown of Phishing Sites
  5. Training Your Team on Spotting BEC Scams

Learn more about each strategy in our blog: Best Strategies For Stopping Business Email Compromise (BEC) Scams

How can individuals prevent themselves from falling for a BEC scam?

BEC attacks take advantage of human error as opposed to technological vulnerabilities.  For this reason, individuals should take measures to prevent being tricked into falling for one of these scams.

1. Double check URLs

Whenever you receive a questionable email, double-check the URL to ensure it's genuine. If you suspect a URL, try to go directly to the site instead of clicking on the site. If you are unsure, consult your IT department or your managed service provider before acting on the content of the email. You should also refrain from opening attachments forwarded to you over email if you suspect the email is not authentic.

2. Don’t share private information through email
Most emails that request log-in information are fraudulent. Scammers try to appear like someone you know from work or your line of business, to try to convince you to share sensitive information they can use to their advantage.
If you receive an email asking you to share login details or transfer funds, call the person that is supposedly sending the email, or have a face-to-face meeting with them to confirm their request before acting on the information.

3. Use two-factor authentication
Multi-factor authentication adds a layer of protection for your accounts and devices, making it more difficult for a fraudster to gain access. For instance, using biometric authentication in addition to passwords makes it difficult for a criminal to gain access to your devices or accounts even if they manage to get the passwords through social engineering.

4. Review your financial accounts regularly
Although reviewing your financial accounts will not necessarily help you prevent fraud, it might help you catch fraud early on. If you see anything odd, make sure to follow up immediately and report to the relevant authorities as soon as possible.
Be aware


One of the simple ways organizations can prevent scams like BEC scams is by educating employees/individuals on the steps above.

However, while it is important to educate and implement good email security practices, organizations should also be proactive about taking down potential threats outside their perimeter that might lead to a BEC attack.

See a custom demo of how your organization can implement an automated solution to monitor and take down potential BEC phishing domains.