Email Security

Beware the Business Email Compromise

Adrien Gendre

December 05, 2015

10 min

According to the FBI, there has recently been a huge increase in the number of spear phishing scams known as a “business email compromise” — a 270% increase from January 2015 through August 2015 alone.

On average, almost $100 million dollars was stolen every month just in the US during the first eight months of the year.

Total U.S. Victims: 7,066
Total U.S. exposed dollar loss: $747,659,840.63

What is the Business Email Compromise?

Business Email Compromise (BEC) is defined by the FBI as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.[1]

Simply said, the bad guys create a highly customized email (sometimes followed up with a phone call) that is ostensibly from the CEO or other authorized person that requests a money transfer.  It’s typically sent to a bookkeeper or accountant and seemingly authorizes a legitimate or even routine payment. The payment is made… and the money disappears.

Cybercriminals might lurk for days or weeks absorbing the mannerisms of the authorizing person as well as transaction flow of the targeted company. The resulting email appears to be totally legitimate. Often the companies targeted make routine wire transfers, but sometimes (like if the thieves know the theft won’t be discovered for several weeks because the CEO or controller will be on vacation for instance) the payment is actually requested (and stolen) by check.

Typically the accountants or bookkeepers involved are outsourced or remote employees, but not always.

What can be done to prevent these thefts?

Businesses of all sizes and types are vulnerable to these attacks and should take the following steps to prevent them:

  • Raise awareness of the BEC scam amongst your financial staff.
  • Consider holding customer requests for international wire transfers for an additional period of time, to verify the legitimacy of the request.
  • Register all company domains that are slightly different than the actual company domain to make spoofing harder.
  • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel.
  • Confirm all requests for transfers of funds. When using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in an email request.
  • Know the habits of corporate payments, including the details of, reasons behind, and amount of payments.
  • Carefully scrutinize all e-mail requests for transfer of funds to determine if the requests are out of the ordinary and follow up by a secondary method.
  • Require any outsourced accountants or bookkeepers to always utilize your corporate email account to transact business. Personal email accounts are especially vulnerable to phishing attacks.

Finally, it’s imperative that organizations layer additional anti-spear phishing solutions like Vade to automatically flag even the most sophisticated spear phishing attacks before they have a chance to impact your organization. All humans are fallible. Give your employees the best tools you can to keep your organization safe.

Give us a call at 415-745-3630 or contact us, if you want to discuss how you can quickly add anti-phishing measures to your current email setup.


[1] August 27, 2015 FBI bulletin: