Beware of Business Email Compromise (BEC) Scams

Beware of
Business Email Compromise
(BEC) Scams


Home » Blog » ArmourHacks » Beware of Business Email Compromise (BEC) Scams

Beware of Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) is an email-based scam, a spear-phishing attack to be exact, that has the objective of tricking employees into taking harmful action by sending money to the attacker.  BEC is a classic example of cybercrime because it does not require any sophisticated skill such as hacking a system but becomes one of the most damaging and expensive types of scam that causes victims huge monetary loss each year.

As more companies shift their operations online, cybercriminals have more opportunities to launch BEC attacks. Moreover, it is now very easy to get corporate or public email accounts of executives or high-level employees in finance, HR, or purchasing, so the probability of success increases.

Types of Business Email Compromise (BEC) Scams

According to Interpol’s ASEAN Cyber Threats Assessment 2021, the number one key cybercrime trend and threat in ASEAN is Business Email Compromise (BEC), followed by Phishing, Ransomware, E-commerce Data Interception, Crimeware-as-a-Service, Cyber Scams, and Cryptojacking. In a BEC scam, the attackers pose as someone the recipient should trust, such as a colleague, boss, or vendor. Based on the FBI, there are 5 types of BEC attacks:

1. False Invoice Scam

The tactic is the attacker pretends to be the supplier requesting fund transfer for invoice payments to a bank account owned by them. Most of the targets are companies with foreign suppliers. 

2. CEO Fraud

The attackers pretend to be the CEO or any high-level executive and send an email to employees in finance requesting them to transfer money to their account or send sensitive information to them.

3. Account Compromise

Cybercriminals hacked and used an executive email account to request invoice payments to vendors listed in their email contacts. The payment of course was sent to a fake bank account. 

4. Attorney Impersonation

Attackers pretend to be a lawyer or someone from the law firm that is in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day

5. Data Theft

Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. That data can be used for future attacks.

In addition, these attackers carefully research and closely monitor the potential target of all types of organisations, from financial to healthcare, educational, also governments, non-governmental agencies, and nonprofits. Therefore, BEC scams rely on impersonation and other social engineering techniques to trick people interacting on the attackers’ behalf. Due to this nature, BEC attacks are difficult to detect because it does not use malware or malicious URLs that can be analysed with standard cyber defences.

Business Email Compromise Timeline - ArmourZero

Business Email Compromise Timeline

How Serious is BEC Attack?

Business Email Compromise Example - ArmourZero

One of the BEC examples is the impersonation of a colleague. (Source:


BEC was not considered a global threat until 2013 when the IC3 (Internet Crime Complaint Centre, founded in 2000) received massive complaints and issues about them. It was reported from 2013 to 2014 that the total number of BEC victims in the U.S. and 45 countries are 2,226 with a combined money loss of US$214,972,503.30.

From May 2018 to June 2019, there was a 100% increase in total global fraud from BEC. Since the IC3 started counting, there has been a total money loss of US$26.2 billion with victims from all 50 states in the U.S. and in 177 countries. No wonder the FBI has named BEC a “US$26 billion scam”. In 2020, the IC3 observed an increase in the number of BEC complaints related to the use of identity theft and funds being converted to cryptocurrency.

There are several top BEC cases, such as:

  • Facebook and Google: US$121m BEC scam

It was dubbed the biggest BEC scam of all time. The attacker Evaldas Rimasauskas and associates set up a fake company named “Quanta Computer” (the same name as the real hardware supplier) which sent fake invoices, contracts, and letters, and billed them for millions of dollars in 2013-2015. The documents were legitimate-looking enough that Google and Facebook wired money to accounts. 

  • Ubiquiti: US$46.7m vendor fraud

In August 2015, IT company Ubiquiti became the victim of US$46.7 million due to the scammers who impersonated employees at a third-party company (vendor) and targeted Ubiquiti’s finance department.

  • Toyota: US$37 million BEC attack

In 2019, Japan’s Toyota Boshoku Corporation, a supplier of auto parts, was a victim of US$37 million. The attackers tricked and persuaded an executive of the finance department to make a wire transfer.

  • Government of Puerto Rico, 2019-2020

In early 2020, while dealing with the aftermath of the earthquake, the government fell victim to BEC attacks when Ruben Rivera, finance director of Puerto Rico’s Industrial Development Company mistakenly transferred over US$2.6 million to a fraudulent bank account. He had received an email about the changing bank account tied to remittance payments. Fortunately, the money which included public pension funds was frozen by the FBI.

How to prevent Business Email Compromise Scams

BEC scams are hard to stop because it needs internal context to know if the email is legit or not. Several tips from FBI to guard against BEC, such as:

  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
  • Be especially wary if the requestor is pressing you to act quickly.

To increase security safety in your company, use cybersecurity solutions that give email protection that leverages internal context, AI, and a trusted reputation network unique to a company and can prevent BEC attacks such as Avanan. 

In fact, here’s how Avanan prevents organisations from BEC:

  1. Machine learning algorithms combine with role-based, contextual analysis of previous conversations to identify threats that Google, Microsoft and external mail gateways miss,
  2. Deployment-day analysis of one-year’s email conversations to build a trusted reputation network,
  3. Scanning and quarantine of internal email and files in real-time, protecting against east-west attacks and insider threats,
  4. AI and machine learning techniques to rapidly adapt to new threats and behaviours,
  5. Account takeover protection beyond email: login events, configuration changes and end user activities throughout the suite.

ArmourZero provides Email Protection as-a-Service powered by Avanan, the best breed of Email Security Solutions, with only US$6.00/user/month or US$60/user/year we are able to prevent delivery of malicious emails to inbox, protect Microsoft 365 and Google Workspace email, account takeover prevention, etc. Book your demo now.

Fanny Fajarianti ArmourZero

Written by: 

Fanny Fajarianti (Performance Marketing). Experienced digital marketer in the information technology and services industry.

Share this post

Related Posts

10 Common Scams Targeting Online Small Business

10 Common Scams Targeting Small Online Businesses

Discover 10 common scams targeting small businesses. Stay vigilant, educate your team, and use tools to reduce risks in the evolving landscape of fraud.

Read more

What is Unified Threat Monitoring, Management and Response (UTMMR)?

What is Unified Threat Monitoring, Management and Response (UTMMR)?

What is Unified Threat Monitoring, Management, and Response (UTMMR)? Discover its benefits and how UTMMR simplifies cybersecurity management in this article.

Read more

Navigating Cybersecurity: Antivirus vs Endpoint Protection

Navigating Cybersecurity: Antivirus vs Endpoint Protection

Learn when to switch from basic antivirus to better endpoint protection for stronger business security in this article. Better Cyber Safe Than Sorry.

Read more

Indonesia's General Election 2024

Safeguarding Indonesia’s Democracy in the 2024 Elections

Guard Indonesia’s 2024 elections from cyber threats. Learn about disinformation, deep fakes, and cyberattacks. Get tips for a resilient digital democracy.

Read more