BEC Scams

Let's talk about business email compromise scams, also known as BEC scams. These are wire transfer fraud involving fake vendors or senior office personnel. These will typically target employees who handle financial transactions. This can be something like a direct request from a senior person at your office to wire out funds or a vendor "updating" its wire transfer information. The idea is that it updates it when a legit vendor then sends you a bill, you actually send it to the new wire transfer information which sends it to a scammer instead. This type of attack tends to be very well researched and will look and sound legitimate. Despite the name, these BEC scams can also be launched via telephone, via text message or even via IM (instant messaging), just depending on how you tend to contact these people. These BEC scams can also include what's called email spoofing.


That's when they fake the address. So it looks like it's coming from someone who it actually isn't coming from like someone you know. They can include fake websites and even full online conversation with scammers impersonating offsite, either senior personnel or vendors. Try and imagine, for example, someone in your office, senior person, is out at a conference and while you can't actually reach them easily, they get a message saying you urgently have to pay a bill. If you can't get ahold of them in time and it has to be paid right away, that could be an issue. Just make sure your staff knows this. Attackers can also use other social engineering attacks, your office website, news reports, or social media to get the information needed to make these BEC messages look genuine. This means correct employee names and titles, relevant office news, if any, etc.


It's critical to have secure procedures for any financial transactions. This means direct what's called "out of band" confirmation with any vendors or senior personnel requesting a wire transfer or any changes to financial routing information. What I mean by out of band is don't use the same method you're contacted by. So let's say you receive an email, don't respond to the email. What you can do is, whoever it is - typically it's going to seem to be someone you "know" - pick up the phone and talk to them. Don't use a number in the email, use the number you have for them and just check "did you actually send this?" Any requests for speed or secrecy, regardless of reason, is a red flag and a half. Normal people generally don't do this, but scammers do. If you believe your organization has been targeted, don't hesitate to contact your financial institution and law enforcement right away.


Another variation I should mention, which targets home buyers, but can just as easily target someone getting a new office, through a real estate transaction. Attackers will typically pose as a seller's attorney and "update" the wire transfer information for the actual underlying sale. There was actually an instance in 2016 in which a couple in the New York area actually wound up bringing suit for negligence after their attorney had forwarded an email supposedly coming from the seller's attorney, which led them to wire out $1.9 million to an account controlled by scammers. So yeah, this can be a big problem. Look, email is convenient. I obviously get that. Wire transfer details and other related information should never ever be exchanged by email alone. Attackers know this is what you call a single point of failure. One way they can take advantage of you and they won't hesitate to exploit that.


It's critical to have secure procedures for any of these and basically you want to use the phone to, in effect, check to make sure it's happened properly. You may want to actually meet in person if that's at all possible. Just make sure that you've got a way to get across to each other that yes, this is legit. If I'm changing something, this is why. Now another thing that's oddly related to this is cyber liability insurance, assuming your office has some. And if not, it's a good idea. Insurance coverage for this particular type of attack, the BEC scam, is a little weird. Because unlike a typical social engineering attack, it's not targeting data. It's targeting funds directly. So certain kinds of policies sort of leave room for it not to be covered. A cyber policy typically it doesn't cover theft of funds without a crime endorsement. A crime policy typically doesn't cover social engineering without a social engineering endorsement, and insurers will routinely take the position that there's no coverage unless it's specific. And sometimes they'll see social engineering stuff is not a sufficiently direct loss. Essentially, their position will be the only technology based hacking events are covered. In short, figure out what's really covered before you actually need it.

Business email compromise (BEC) scams

  • Wire transfer fraud involving fake vendors and/or senior office personnel
  • This sort of attack typically targets employees who handle financial transactions
  • A BEC scam can appear to be a direct request from (an attacker pretending to be) a senior person at your office to wire out funds or a vendor “updating” its wire transfer information
  • This type of attack tends to be very well researched and will look and sound legitimate
  • Despite the name, BEC scams can also be launched via phone, text, social media or instant message
  • A nasty BEC scam variant targets purchasers through real estate transactions. Attackers will typically pose as the seller’s attorney and “update” the wire transfer information

How do you avoid BEC scams?

  • It’s critical to have secure procedures for any financial transactions.

If you believe your organization may have been targeted, contact your financial institution (and law enforcement) immediately.

Check your coverage – office insurance policies often don’t cover damages related to BEC scam attacks.