Business Email Compromise: An Old Threat Finds New Targets
Adrien Gendre
—July 16, 2020
—4 min read

Business Email Compromise or BEC presents a radically more sophisticated version of the age-old “Nigerian Prince” scam. According to the FBI, US businesses lost $1.7 billion from business email compromise in 2019. This figure represents only those cases that were reported to the FBI—the actual number is likely higher. Although a substantial amount of losses are recovered, 21 percent of victims recover nothing.
Previously focused on enterprises, hackers now regularly target SMBs, which are far less prepared than enterprises to cope with attacks, both technologically and financially. From incident response to remediation, enterprises have an arsenal of weapons to rapidly respond to business email compromise threats. SMBs, especially those on the smaller side, do not have this luxury.
Before we explore the threats to SMBs, let’s take a look at some examples of high-profile attacks on large companies.
Mattel’s $3 million BEC Loss
In 2015, Mattel lost $3 million to business email compromise when a hacker exploited a staffing change. Impersonating the new CEO, a hacker emailed a Mattel finance executive and requested a wire transfer to a vendor in China. Mattel’s growing business in China made the transfer seem reasonable, and receiving the request from the new CEO made the executive jump at the request.
A report noted that the hacker did considerable homework as part of the attack, mining social media and other sources to find an executive authorized to make financial transactions. Fortunately for Mattel, the date of the transfer was a bank holiday in China, which gave Mattel time to report the attack and prevent the funds from reaching the hacker.
Nikkea’s $29 million vendor compromise attack
In 2019, a US employee at Japanese media conglomerate Nikkea transferred a staggering $29 million to a hacker impersonating a Nikkea vendor. This new spin on business email compromise is known as vendor email compromise, in which a vendor’s email is compromised and then used to email customers and clients. With a hacker using a compromised email address, there is no reason for a victim to be suspicious about requests for payment.
What’s notable about the above examples is that all involve the diversion of large sums of money. In other words, it would be extremely difficult for any of the above transactions to go undetected for long. This is precisely why the FBI has a good recovery rate: quick reporting equals fast response and recovery.
To cope with the quick response rate of authorities, hackers have been hitting smaller targets—SMBs—and requesting smaller sums of money in increments. This makes the transactions more likely to go undetected for a longer duration, giving the hacker time to clean out accounts and move on to the next target.
Below are three examples of the types of business email compromise scams SMBs should watch out for.
Wire transfers
The most popular form of wire transfer scam is popularly known as CEO fraud, in which a hacker spoofs an executive’s email address and requests a wire transfer from an employee. The hacker might ask an employee to pay a vendor, place a deposit on real estate, or make a large purchase.
Although this variation of wire transfer fraud is still prevalent, attacks on SMBs typically feature requests for small amounts of money. This increases a hacker’s chance of success for two reasons: First, it will not set off red flags and potentially cause the victim to either question the request or alert anyone. Second, the transfer of a small amount of money can go unnoticed for a longer period of time.
Finally, wire transfer requests from compromised internal email accounts is a growing threat. Hacker gain access to platforms like Microsoft 365 via phishing emails and then email employees via compromised accounts. An example of this is a 2019 attack on St. Ambrose Catholic Parish in Brunswick, Ohio. Emailing from a compromised Microsoft 365 account, a hacker posing as a vendor—a construction company—demanded payment for unpaid restoration work. The employee transferred $1.7 million to the hacker, who quickly moved the money to another account.
Tax form scams
Business email compromise doesn’t always involve money. Hackers are also interested in sensitive data they can use to carry out subsequent attacks. W-2s, a tax form for wage reporting in the US, is a sought-after document that includes a host of personal data that hackers can use to either create accounts or file a fraudulent tax return and receive a refund.
To get their hands on W-2s and other tax forms, hackers impersonate employees and send spear phishing emails to human resources and accounting staff, requesting their W-2s or other tax forms. This is an especially successful scam during tax season: human resources and accounting staff are not only busy and likely to be distracted, but they’re also accustomed to receiving an abundance of questions from staff about taxes—making the request seem like nothing out of the ordinary.
Direct deposit/payroll diversion scams
The fastest growing form of business email compromise, according to the FBI, payroll diversion or direct deposit scams involve rerouting paychecks into hacker accounts. In most cases, a hacker impersonating an employee emails a human resources staff member and asks for their bank account number to be changed in time for the next payroll deposit.
The emails are short and to the point, although some involve pretexting and might even feature a series of emails designed to ease the victim into complying with the request. In some cases, hackers will impersonate high-ranking employees, such as executives, to put pressure on the human resources staff. According to the FBI, in most cases of payroll diversion scams, the victim’s paycheck is diverted to a pre-paid card account.
Business email compromise prevention
Unlike phishing emails, spear phishing emails are typically text only—there are no links to scan or other identifying clues that an email filter can detect.
That’s why users should be trained to spot the signs of spear phishing, from pretexting and social engineering to requests for large sums of money. If a user responds to a spear phishing email, retrain them immediately to correct the behavior.
Even if employees are well trained, hackers today do substantial research before launching attacks, and they’re very good at putting victims at ease and making even unusual requests seem normal. To solve for this, you should have processes in place for confirming requests for financial transactions and wire transfers:
- Establish written processes and procedures for handling financial transactions, including call-back procedures or in-person confirmation.
- Contact the vendor directly to confirm email requests for financial transactions.
- Limit the number of employees authorized to make financial transactions.
Finally, if your current anti-spear phishing solution is allowing threats to get through, consider a solution that goes beyond spoofing detection and scans for malicious behaviors, including urgent and financial requests. DMARC will detect exact domain spoofing, but it struggles with more sophisticated spoofing techniques.
Vade for Microsoft 365 uses anomaly detection to identify unusual patterns in an organization’s email traffic, as well as Natural Language Processing, which analyzes email text. Together, they detect spoofing techniques like display name spoofing and cousin domains, and textual indicators of spear phishing, including pretexting and requests for financial transactions. When spear phishing is detected, Vade for Microsoft 365 triggers a warning banner to alert the user, giving them time to reassess the email and decide whether to proceed.