How to Spot a Business Email Compromise (BEC) Scam

By March 2, 2020Security
BEC Scams - How to Spot a Business Email Compromise Scam

Business email compromise (BEC) scams are on the rise. They target business owners and high-level employees in order to defraud a company, its customers, or its partners. In this type of scam, an attacker will pretend to be a trusted entity by spoofing a company email account. Then, they trick employees into revealing sensitive information or performing wire transfers.

Types of BEC Scams

There are different types of BEC scams. However, all these threats usually target employees with access to company finances, in an attempt to trick them into transferring money or revealing sensitive data. BEC scams include:

  • false invoice schemes (often posing as foreign suppliers)
  • CEO fraud (posing as a CEO or executive)
  • account compromise (attackers hack email accounts and use them to request payments)
  • attorney impersonation (email or phone calls from attackers pretending to be a lawyer or law firm representative)
  • data theft (targeting HR and bookkeeping employees to gain sensitive information about employees)

What can you do to detect or avoid BEC scams?

  • An email or phone call may happen when key personnel are absent or at the end of the day when your energy or attention is low. Attackers will try to take advantage of confusion, lack of knowledge, or fear with urgent statements, legal threats, and more. You should avoid clicking on any links in an email or replying. If it’s a phone call, hang up immediately. Speak to a supervisor or knowledgeable person about the issue.
  • Check that names and addresses are spelled correctly in an email header. Hackers will spoof legitimate addresses with slight changes. At a quick glance they look like the real thing. But when you look closely, you can see that a name has been misspelled or the email domain has an extra letter.
  • Even if an email comes from a trusted sender, confirm in person or over the phone before taking the action requested. Spear phishing emails are sophisticated and tailored to you, taking advantage of names that you trust and details about yourself.
  • If the request seems out of the ordinary or unusually urgent, always double check in person or over the phone with the requester. (And not by replying to the email!)

Technical Defenses

There are also technical steps you can take to defend your organization against BEC scams.

  • A strong anti-spam solution should flag emails based on rules. For example, it could flag emails where the “reply to” email address is different from the “from” email address. There are also intrusion detection system rules that can help flag fraudulent emails and domain names.
  • Payment verification requires additional two-factor authentication.
  • Confirmation requests for fund transfers, with phone verification or other two-factor authentication method.

And as always, a security aware culture begins with leadership and clear instructions. Reward employees for speaking up about their concerns and reporting possible attacks. Attacks and scams like business email compromises target people because humans are usually the weakest link – unless they are trained and educated about the latest threats.

Recent Posts / View All Posts

Beyond Automation: Why Agentic Artificial Intelligence (AI) Demands A New Standard for Ethics and Accountability

| Cybersecurity | No Comments
The rise of AI has reshaped the digital world as we know it. With AI’s power to mimic human intelligence, generate problem-solving ideas, complete everyday repetitive tasks, and even replicate images and videos of real and fake people, the possibilities of how AI will evolve in the future are limitless. As 2026 has officially kicked off, a new form of AI is already becoming a turning point. Agentic AI, artificial intelligence, has evolved from just generative technology to collaborative technology that will shape how businesses organize the workplace. Agentic AI is technology that can act independently as agents as a…

3 Settings To Change On Your Employees’ Browser Today

| Cybersecurity, Holiday | No Comments
Safer Internet Day is here, and while the global conversation often turns to big concepts like AI ethics and infrastructure security, we at OXEN Technology believe in the power of Simple IT. Sometimes, the most effective security measures aren't expensive software overhauls—they are simple toggles sitting right in the tools your team uses every single day.  For most modern businesses, the web browser (Chrome, Edge, or Firefox) is the new office. It’s where email lives, where documents are signed, and where data is accessed. It’s also the primary doorway for cyber threats.  To celebrate Safer Internet Day, we’re sharing three high-impact browser settings you - or your IT admin - should change on your employees' browsers today to instantly…

Data Privacy Day: High Priority – Privacy is Gold

| Holiday, Security | No Comments
It’s Data Privacy Day, and while it might not be the kind of holiday that calls for greeting cards or family dinners, it’s arguably one of the most important dates on the IT calendar.  At OXEN Technology, we talk about data protection every single day. But today, we want to shift the perspective a little. Instead of thinking of data privacy as a compliance checklist or a technical hurdle, think of it in terms of value.  Think of your data as gold.  In the digital age, personal and business information is the new currency. It is what cybercriminals are mining for. They aren’t just looking for chaos; they…

Tags:

Share