fbpx Skip to main content

How to Spot a Business Email Compromise (BEC) Scam

By March 2, 2020Security
BEC Scams - How to Spot a Business Email Compromise Scam

Business email compromise (BEC) scams are on the rise. They target business owners and high-level employees in order to defraud a company, its customers, or its partners. In this type of scam, an attacker will pretend to be a trusted entity by spoofing a company email account. Then, they trick employees into revealing sensitive information or performing wire transfers.

Types of BEC Scams

There are different types of BEC scams. However, all these threats usually target employees with access to company finances, in an attempt to trick them into transferring money or revealing sensitive data. BEC scams include:

  • false invoice schemes (often posing as foreign suppliers)
  • CEO fraud (posing as a CEO or executive)
  • account compromise (attackers hack email accounts and use them to request payments)
  • attorney impersonation (email or phone calls from attackers pretending to be a lawyer or law firm representative)
  • data theft (targeting HR and bookkeeping employees to gain sensitive information about employees)

What can you do to detect or avoid BEC scams?

  • An email or phone call may happen when key personnel are absent or at the end of the day when your energy or attention is low. Attackers will try to take advantage of confusion, lack of knowledge, or fear with urgent statements, legal threats, and more. You should avoid clicking on any links in an email or replying. If it’s a phone call, hang up immediately. Speak to a supervisor or knowledgeable person about the issue.
  • Check that names and addresses are spelled correctly in an email header. Hackers will spoof legitimate addresses with slight changes. At a quick glance they look like the real thing. But when you look closely, you can see that a name has been misspelled or the email domain has an extra letter.
  • Even if an email comes from a trusted sender, confirm in person or over the phone before taking the action requested. Spear phishing emails are sophisticated and tailored to you, taking advantage of names that you trust and details about yourself.
  • If the request seems out of the ordinary or unusually urgent, always double check in person or over the phone with the requester. (And not by replying to the email!)

Technical Defenses

There are also technical steps you can take to defend your organization against BEC scams.

  • A strong anti-spam solution should flag emails based on rules. For example, it could flag emails where the “reply to” email address is different from the “from” email address. There are also intrusion detection system rules that can help flag fraudulent emails and domain names.
  • Payment verification requires additional two-factor authentication.
  • Confirmation requests for fund transfers, with phone verification or other two-factor authentication method.

And as always, a security aware culture begins with leadership and clear instructions. Reward employees for speaking up about their concerns and reporting possible attacks. Attacks and scams like business email compromises target people because humans are usually the weakest link – unless they are trained and educated about the latest threats.


Recent Posts / View All Posts

Disaster Recovery

Importance of a Reliable Disaster Recovery Plan for Your Business

| Email, Managed Services, Security | No Comments
Running a business is not always a smooth-sailing operation. There are often things that could go wrong regardless of how cautious you are or how hard you abide by the so-called rules. Because of this, you should have a good backup and disaster recovery plan in case a disaster happens, like an accident or a cyberattack. There are plenty of BDR solutions for different businesses. You must find the one that fits your needs and will protect your network and data in the best way possible. Understanding Backup Disaster Recovery All businesses deal with important information, like details about transactions,…
Social Media Phishing

Quiz Time: Can You Handle Social Media Phishing Attacks at work?

| Managed Services, Security | No Comments
Our last three blogs have discussed cybersecurity threats and how they affect a business. We have talked about the dangers that stem from various types of malware. We have warned you about the newest cybersecurity risks expected to wreak havoc on businesses soon. And in the face of the ongoing growing acceptance of remote work setups, we have delved into the threats related to working from home. Now, we will now talk about social media phishing. The common thing in all these topics is that they are all linked to phishing. A strong phishing attack can make a network open…
Risks of Working from Home

Addressing the Cybersecurity Risks of Working from Home

| Business Productivity, Managed Services, Security, Tech Tip | No Comments
A remote workforce has become the norm since the pandemic. Even now that we consider it safe to return to office work, many businesses have maintained the remote work setup because of the advantages. However, the risks of working from home also bring issues that need attention so as not to risk the company’s network and data. What Are the Cybersecurity Risks That Come with Working from Home? There are risks when working from home. Workers lack the usual protective measures used in an office network. Many workers use their home networks and may also use the same device for…