What is Business Email Compromise?

Business email compromise (BEC)—also known as electronic account takeover (EAC)—is one of the most financially damaging internet frauds. It takes advantage of our reliance on email to conduct both personal and professional transactions.

In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
  • A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.

How Criminals Carry Out BEC Scams 

A scammer might:

  • Spoof an email account or website. Slight variations on legitimate addresses ([email protected] vs. [email protected]) fool victims into thinking fake accounts are authentic.
  • Send spearphishing emails. These messages look like they're from a trusted sender, but they're actually trying to trick you into revealing confidential information. That information can let criminals access company accounts, calendars, and data that gives them the details they need to carry out their BEC schemes.
  • Use malware. Malicious software may infiltrate a company's network and access legitimate email threads about billing and invoices. That data is utilized to time requests or send messages so that accountants or financial executives are not suspicious of payment demands. Malware also allows criminals to gain unauthorized entry to a victim's data, including passwords and financial account information.

How to Protect Yourself 

  • Keep your personal information private. By expressing oneself freely on social media or online, you may provide a scammer with all of the data they need to guess your password or answer your security questions.
  • Don't click on anything in an unsolicited email or text message asking you to update or verify your account information. Look up the company's phone number on your own (not using the one a possible scammer is providing) and call the business to find out if it's legitimate.
  • Examine the email address, website URL, and spelling used in any communications for accuracy. Scammers rely on tiny variances to deceive your eye and win your confidence.
  • You should be cautious about what you download. Never open an email attachment from someone you don't know, and be careful of emails sent to you as a forwarding.
  • Make sure you've installed two-factor authentication on any accounts that allow it and don't turn it off.
  • If possible, verify payment and purchase requests in person or by phone to ensure they are genuine. Any change in account number or payment procedures should be verified with the person making the request.
  • If the requestor is pushing you to act quickly, be particularly cautious.

More Information

File a Complaint with IC3 https://www.ic3.gov/