Business Email Compromise

Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.

In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

A vendor your company regularly deals with sends an invoice with an updated mailing address.
A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.

How Criminals Carry Out BEC Scams

A scammer might:

Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.
Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

Outline of how the business e-mail compromise is executed by some organized crime groups, from identifying a target to grooming to exchanging information to receiving a wire transfer from the victim.

How to Report

If you or your company fall victim to a BEC scam, it’s important to act quickly:

Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.
Next, contact your local FBI field office to report the crime.
Also file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

How to Protect Yourself

Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
Be especially wary if the requestor is pressing you to act quickly.

Resources

Public Service Announcements from IC3

04.06.2020 Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services, Costing U.S. Businesses More Than $2 Billion
Cyber criminals are targeting organizations that use popular cloud-based email services to conduct BEC scams.

09.10.2019 Business Email Compromise: The $26 Billion Scam
Business email compromise/email account compromise is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.

10.24.2018 Business Email Compromise: Gift Cards
The Internet Crime Complaint Center (IC3) received an increase in the number of BEC complaints requesting victims purchase gift cards.

06.11.2018 Business Email Compromise Contributes to Large-Scale Business Losses Nationwide
BEC schemes have cost victims billions of dollars in fraud losses over the last five years. This activity is a pervasive threat with significant financial losses and a considerable global impact.

Related FBI News and Multimedia

04.13.2020 FBI Warns of Advance Fee and BEC Schemes Related to Procurement of PPE and Other Supplies During COVID-19 Pandemic
The FBI is warning government and health care industry buyers of rapidly emerging fraud trends related to procurement of personal protective equipment (PPE), medical equipment such as ventilators, and other supplies or equipment in short supply during the current COVID-19 pandemic.

04.06.2020 FBI Anticipates Rise in Business Email Compromise Schemes Related to the COVID-19 Pandemic
There has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19.

07.16.2020

Money Mule Reined In

When a Texas school district fell victim to a $2 million business email compromise scheme, a Florida man moved much of the stolen money away from law enforcement’s grasp—and is now spending time behind bars.
01.28.2020

Sentence in BEC Scheme

A leader of a business email compromise ring that stole more than $120 million from two American companies is spending time behind bars. Learn how to protect yourself from this growing crime.
09.10.2019

Operation reWired

The FBI worked with partner agencies domestically and in multiple countries around the world in a large-scale, coordinated effort to dismantle international business email compromise (BEC) schemes.
06.11.2018

International BEC Takedown

The FBI partnered with domestic and international law enforcement agencies on Operation WireWire, a large-scale, coordinated effort to dismantle business e-mail compromise schemes.
03.08.2018

FBI, This Week: W-2 Phishing Scams Increase During Tax Season

The latest evolution of the sophisticated business e-mail compromise scam targets businesses for access to sensitive tax-related data.
12.07.2017

FBI, This Week: Criminals Put Holiday Spin on Internet-Facilitated Schemes

The FBI says criminals put a holiday twist on the methods they use to scam you online during this time of year.
11.09.2017

FBI Chicago Warns Area Business Owners of Business E-Mail Compromise Scam

FBI Chicago has important information for area business owners who find themselves the victim of a Business E-mail Compromise (BEC) scam.
02.27.2017

Business E-Mail Compromise

The organized crime groups that perpetrate the financial cyber fraud called business e-mail compromise have victimized companies and organizations around the world.
10.26.2016

PSA: Business E-Mail Compromise Scam

Public service announcement warning of the dangers of business e-mail compromise scams (BECs).
10.07.2016

Business E-mail Compromise Scams Cost Businesses Billions of Dollars

BEC scams involves the compromise of legitimate business and e-mail accounts for the purpose of conducting unauthorized wire transfers.
07.27.2016

OPS Business Email Compromise Guide

A guide providing best practices on what to do to safeguard the email system of a business from being compromised.
08.28.2015

Business E-Mail Compromise

A sophisticated scam is costing companies worldwide millions of dollars.

Official websites use .gov

Secure .gov websites use HTTPS