Two concerned businessman review data on a laptop

Security | Business Email Compromise

What is Business Email Compromise?


Even with the complexity of internet defenses, a significant vulnerability one must consider is the human element. Business Email Compromise, or BEC, is the vulnerability companies and people face when scammers seek to gain funds, access, or information by getting around established defenses and targeting network users. The fraudster poses as a trusted person, client, or vendor, making the requests appear legitimate. The larger the company, the more vulnerable it can be.

According to the FBI’s Business Email Compromise and Real Estate Wire Fraud 2022 Congressional Report, examples of BEC can include:

  • Scammers who pose as a company CEO, emailing requests for payments to be made to fraudulent locations or emailing employees instructions to participate in fake online meetings during which a deepfake version of the CEO instructs team members to make wire transfers.
  • Scammers who impersonate vendor emails, sending fake invoices to a targeted company, hoping they will be paid instead of the company actually performing the service.
  • Scammers who pretend to be attorneys or other legal professionals, making internal requests for private employee information, such as social security numbers.
  • Criminals who spoof legitimate email addresses, using slight variations of the correct email address and/or accurate domain names to appear as a trusted source.

How can employees help protect a company against BEC attacks?

Part of defending against these types of attacks is putting policies in place that block these vulnerabilities. Alert employees to various methods scammers often use to trick them. This can help them pay better attention and notice when something feels wrong or a little off. Create a culture that encourages employees to ask questions and not simply make assumptions.

Company policies should warn team members to be wary of:

  • Odd requests
  • New requests to keep communications confidential
  • Requests bypassing channels like HR, Accounting, Marketing, etc.
  • Weird spelling, grammar or usage errors, or strange date formats
  • Look-alike email addresses or domain names, unfamiliar email or web addresses, or contact information that doesn’t match your internal records
  • Supposedly trusted individuals suddenly acting strangely, weirdly pushy, or trying to hurry you along when time isn’t really an issue
  • Downloading unknown files: starting a download can allow hackers to install malware on your system, possibly defeating other defenses like antivirus software.
  • Once the malware takes up residence, it can worm its way deeper into a company’s cyber footprint, accessing personal information, account numbers, passwords, etc.
  • Providing unnecessary personal information on social media platforms like LinkedIn or Facebook: details like your birthdate, pet names, old addresses, family names, etc., can give hackers the tools to crack passwords and guess security questions.
  • Emails stating changes to a remittance name, address, or account number for a company vendor: before sending another payment, be sure to verify this information over the phone or in person.

Proactive policies can also help protect your company.

The United States Secret Service suggests that these large-scale actions might also protect your company from BEC attacks:

  • Register domain names similar to company domains: if you own them, scammers can’t!
  • Create rules that flag emails from unknown domains.
  • Use multi-factor authentication where possible.
  • Practice BEC drills with your employees (just like a fire drill).
  • Remember, a bad actor only has to access a compromised email once to turn on auto-forwarding. This access remains, even if passwords are changed.

How to report a BEC attack

  • Contact your local FBI office and file a crime report.
  • If someone transfers company funds to a fraudulent account, inform your financial institution immediately and request that they contact the destination financial institution.
  • File a complaint with the FBI’s Internet Complaint Center. Before filing a Business Email Compromise complaint, make sure you have the following information: the victim’s phone number as well as mailing and email addresses; a description of the incident; the victim’s bank name and account details; the subject/recipient’s bank and account details; cryptocurrency wallet details (if applicable); transaction dates and amounts, and the full financial wiring/routing instructions provided by the subject.

Please stay alert.

If your company receives an email from anyone posing as a representative of First Northern Bank and Trust, kindly call us to confirm its legitimacy before you reply, provide any information, or take action. We will never email you to request personally identifiable information, bank account numbers, or other private data.

For more information about how First Northern Bank and Trust handles your confidential, personal data, we encourage you to read our Website Privacy Policy, Terms of Use, and Consumer Privacy Notice.