Page Header
Home > We Care  > Business Email Compromise (BEC) 
Increase Font Size Decrease Font Size ShareThis

Types of Business Email Compromise (BEC) Schemes

  • CEO fraud: Fraudster(s) hack or spoof the CEO’s email address. A fraudulent email is sent from the CEO’s email (spoofed or actual) to an employee with the ability to send wire transfers and instruct them to send funds to an account controlled directly or indirectly by the fraudster. E-mails usually contain a sense of urgency to complete the transaction and may also indicate that the CEO will be unavailable by phone or other methods.

  • Bogus invoice scam:  Fraudster(s) hack or spoof a business contractor/vendor’s email that is doing work for another company.  The suspect(s) initiate a fraudulent email to the company’s employee who handles finances and requests payment for services rendered. However, instead of making the payment to the contractor/vendor’s known account or by mail, the fraudster will request that the payment be transferred to another account that is controlled by the suspect(s).

  • Attorney impersonation:  After gaining access or the ability to impersonate a company’s law firm, the scammer sends an email to their client indicating that funds should be transferred/wired to a different account than normal.  The reasoning for the transfer of funds may be to settle a legal dispute, pay an overdue bill, or transfer of funds for the closing on a property. Typically, the cybercriminal will use this type of attack to convince targets that the transfer is confidential and time-sensitive, so it’s less likely that the employee will attempt to confirm they should send the transfer.

  • Account compromise:  Fraudster(s) hack or spoof an employee’s email account, then email customers to alert them there was a problem with their payment (insufficient funds, bounced check, stolen mail etc.) and they need to wire/transfer/ACH it to a different account that is controlled by the fraudster.
  • Data theft:  In this attack, the goal of the fraudster is not to have the sender transfer funds.  Instead, the goal is to transfer data, sensitive information, personal identifying information, etc., through the guise of a fraudulent email. The employee’s email again is spoofed or hacked, and the receiver is instructed to send the specific data requested for various reasons (audit, payroll, tax information, W-2 info or highly sensitive corporate financial documents).  The attack will eventually lead to a more sophisticated attack in which the data will be used to extort, steal, or commit ID theft with the personal information obtained.

Content courtesy of International Association of Financial Crimes Investigators – www.iafci.org