Published by:

Have you heard about Business Email Compromise (BEC)? BEC is a type of scam targeting companies who collect their money via wire transfers. Did your ears just perk up? Well they should since contractors rely heavily on payments through wire transfers and are prime targets for this scam.

The goal of a BEC fraudster is to infiltrate the email account of an executive or high-level employee authorized to make wire transfer payments. The scam usually starts with a spoofed or compromised email by an unsuspecting employee. Once the fraudster gains access, they lay in wait collecting information, carefully researching and closely monitoring their potential victims for just the right time to attack.

Then, they impersonate the email of the infiltrated executive, authorizing an employee to move funds. In the case of construction projects, the fraudster will pretend to be the contractor notifying the project owner they’ve changed bank accounts. Could they please make note of the new account when making future payments? Of course, the bank account is fraudulent and the money is transferred out of the project owner’s account into an offshore account immediately. The contractor never gets paid, and the project owner never knows they’ve been scammed until the contractor calls looking for their funds.

According to the FBI, there are five types of BEC scams:

1. The Bogus Invoice Scheme.  Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.

2. CEO Fraud.  Attackers pose as a company CEO or any executive (often when they are out of town and unavailable to verify the request) and send an email to employees in finance, requesting them to transfer money to the account they control.

3. Account Compromise.  An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.

4. Attorney Impersonation.  Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and at the end of the business day.

5. Data Theft.  Employees under HR and bookkeeping are targeted to obtain personally identifiable information or tax state-ments of employees and executives. Such data can be used for future attacks.

Because these scams do not have any malicious links or attachments, it’s easy for them to evade traditional solutions. Employee training and awareness can help spot this type of scam. Look out for email messages that have subjects containing words such as request, payment, transfer, and urgent, among others. In addition, always be a skeptic. No matter how believable the email may appear, always phone first!