FRAUD RESOURCE CENTER
En español | Business email compromise, or BEC, is a fast-growing type of phishing scam in which fraudsters impersonate company owners or executives to trick employees of the firm into transferring money or turning over confidential data. Also known as “CEO fraud,” “W-2 phishing,” “email account compromise” and “business email spoofing,” the con comes in two basic varieties:
- An employee with access to company accounts receives an urgent email request, ostensibly from a top executive, to wire a large sum of money for what sounds like a legitimate purpose, such as an acquisition or vendor payment. The message includes routing data for a bank account that’s actually controlled by the fraudsters, often at a foreign bank. In a variation on this scam, the email supposedly comes from a vendor looking to change its payment account.
- The bogus executive emails someone in the payroll or human resources office seeking a list of employees and copies of their W-2 forms. That potentially puts a wealth of workers’ personal and financial information — Social Security numbers, home addresses, wages and tax withholding — into scammers’ hands, setting the stage for large-scale tax ID fraud and other forms of identity theft.
Law enforcement has linked BEC to international organized crime groups, often based in Nigeria. The scam relies on sophisticated techniques in spoofing (making fake emails and business documents look convincing) and spear phishing (researching a mark to launch highly targeted attacks). Scammers might also use malware to infiltrate a company’s computer network and access email exchanges about financial matters.
This form of fraud can pay off: Victims of BEC scams reported $1.78 billion in losses to the FBI's Internet Crime Complaint Center (IC3) in 2019 — more than half of all cybercrime losses logged by the bureau that year and a 37 percent increase from 2018.
BEC attacks targeted more than 30,700 organizations in the first quarter of 2020, according to security company Symantec. The FBI says fraudsters are exploiting disruptions in business operations caused by the coronavirus outbreak to perpetrate new variations on the scam, in some cases hijacking Paycheck Protection Program loans to small businesses.
Any company, large or small, can be a target. The real estate industry has been particularly hard hit, with fraudsters spoofing emails to real estate agents, title companies and other parties to snare payments from property deals. And these schemes don’t just abuse businesses: According to the FBI, many BEC gangs also perpetrate romance and work-at-home scams to recruit unwitting “money mules,” manipulating victims who believe they've found love or a great job opportunity into opening bank accounts to hide or launder fraud proceeds.
- You receive an email from a higher-up ordering you to quickly process an invoice, change the recipient of a payment or provide sensitive documents.
- The message is brief, urgent and presses you to bypass normal policies and procedures.
- The sender says he or she is traveling, and the signature indicates the email came from a mobile device.
- The email comes from a Gmail, Hotmail or other personal account rather than an organizational account.
- Someone you’ve become close to online asks you to open a bank account for the purpose of receiving or sending them money.
- Do check with an executive by phone or in person to verify a request to send money or provide personnel records.
- Do verbally confirm emailed instructions from a vendor or supplier to change payment methods or bank information. Call them on a known contact number.
- Do carefully check the sender’s email address. Scammers may slightly vary a genuine address, adding a letter or changing punctuation, to make it seem legit on first glance.
- Do train staff on the BEC threat and how to spot spoofed and spear-phishing emails.
- Do immediately contact your financial institution if you discover a fraudulent transfer. It may be able to recall the funds.
- Do verify a request from someone involved in a property transaction to change a payment type (for example, from check to wire transfer) or bank data. Do so in person or by phone, not by email.
- Do save all emails and other evidence of a BEC attack to provide to authorities.
- Don’t act on a request to send money or sensitive employee information without confirming that it’s authentic.
- Don’t reply to a suspicious email. Speak directly to the person the sender claims to be, or forward it to a known email address for that person.
- Don’t call a phone number listed in the suspicious email. Contact the actual person on a number you know to be legitimate.
- Don’t click on links or open attachments in a suspicious business email. It could unleash malware.
- Don’t open a new bank account at the behest of someone you’ve forged a relationship with online or as part of a supposed work-at-home opportunity.
- If you’ve been targeted or victimized by a BEC scam, report it to the FBI’s Internet Crime Complaint Center (IC3).
- Forward W-2 phishing emails to the Internal Revenue Service at firstname.lastname@example.org.
- If a BEC attack results in a data loss, follow the IRS’s instructions for reporting the theft and protecting employees. Contact the Federation of Tax Administrators at StateAlert@taxadmin.org for information on reporting the loss to state authorities.
- IC3 recommends office policies and IT strategies to reduce the BEC threat, as does the Financial Services Information and Analysis Center, a finance industry group that monitors cybersecurity and other threats.
Updated June 10, 2020
More From the Fraud Resource Center