Skip to main content Skip to main menu Skip to footer

Email compromise fraud schemes

Email compromise fraud schemes

Decrease Text Size Increase Text Size

Page Article

Business Email Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

Recommendations and Mitigations

Non-Technical Mitigations 

Social engineering safety
  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
  • Be careful what you post to business networking sites like LinkedIn and your company website, especially information about who has which specific job duties. 
Training and awareness
  • Alerts for employees and customers regarding phishing scams targeting specific organizations or interest groups.
  • Reminders of policies in place such as account changes.
  • General information on phishing tactics posted to an organization web site or emails.
  • Establish an employee testing program with phishing and BEC attempts that appear to come from your senior leaders and trusted business partners.
Establish out-of-band communication  
  • Use an alternate form of communication than email, such as a telephone call, to verify transactions over a particular dollar amount. And set up this verification process early in the business relationship. Do not use email to set up the verification process.
Standardize validation for payments and account changes
  • Establish with your customers and business partners how changes in account information will be communicated and validated.  Also, confirm how you expect them to validate changes to your banking information.
Confirm significant or out-of-pattern changes
  • Beware of sudden changes in business practices. For example, if a vendor suddenly asks to be contacted at a personal email address when all previous official correspondence has been on a company email, verify via other channels that you are still communicating with your legitimate business partner.
  • Be especially wary if the requestor is pressing you to act quickly.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
  • Watch for suspicious requests, such as a change in a vendor’s payment location.
  • Follow controls for the validation of new or revised payment information.
  • Escalate any concerns if a payment seems suspicious - even after performing a callback.
  • Be very suspicious if a vendor offers vague reasons for changes to a new account, such as tax audits or current events, e.g., "Due to COVID-19, we need to update our payment information…"
Create a social media policy
  • Construct, implement and enforce a social media policy that prohibits sharing details about company roles and responsibilities, so cyber criminals cannot develop a picture of your corporate structure, including addresses to target your employees.
Email
  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing).  Look up the number from an external source when calling and call the company to ask if the request is legitimate.
  • Check the "rules" setting on your account periodically to ensure that no one has set up auto-forwarding for your e-mails.
  • Email forwarding vs email reply. Instead of hitting reply on important emails, use the forward option and either type in the correct email address or select it from your email address book to ensure you’re using the real email address.
  • Be cautious about using out-of-office replies that give too much detail about when your executives are out of the mix.
  • Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
  • Avoid clicking on links or attachments from unknown senders. Doing so could download malware onto your company’s computers, making you vulnerable to a hack.
Anti-phishing strategies for AI-written emails
  • Sandboxing for Word documents and other attachments to keep them away from corporate networks.
  • Web traffic inspection through a secure web gateway to protect both on-prem and remote users.
  • Secure email gateways.
  • Check URLs for malicious content or typosquatting.
  • Deploy email security protocols such as DMARC, DKIM, and SPF, which help prevent domain spoofing and content tampering.
  • Provide an easy way to report suspicious emails.

Technical Mitigations

  • Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.  TFA/MFA aims to protect users if authentication credentials have been captured. The nature of changing tokens limits the attacker's ability to leverage captured credentials.  
  • Avoid free web-based e-mail accounts. Establish a company domain name and use it to create formal e-mail addresses for your employees.
  • Label external emails to help prevent the impersonation of employees.  
  • Ensure emails originating from outside the organization are automatically marked before received. 
  • Prohibit automatic forwarding of emails to external addresses.  Detect email inbox forwarding rules that send all or selected emails to an external email address.
  • Add an email banner to messages coming from outside your organization.  This is a simple way to highlight that extra scrutiny is needed for external emails. It can also identify when an adversary creates a fraudulent domain that looks similar to a healthcare and public health sector (HPH) legitimate domain.
  • Prohibit legacy email protocols, such as POP, IMAP, and SMTP1, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable alerts for suspicious activity, such as foreign logins.
  • Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies.
  • Configure Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting and Conformance to prevent spoofing and validate email.
  • Disable legacy account authentication.
  • Develop and maintain a policy on suspicious e-mails for end users; Ensure suspicious e-mails are reported. 
  • Apply patches/updates immediately after release/testing; Develop/maintain patching program if necessary. 
  • Implement an Intrusion Detection System (IDS); Keep signatures and rules updated. 
  • Implement spam filters at the email gateways; Keep signatures and rules updated. 
  • Block suspicious IP addresses at the firewall; Keep firewall rules updated. 
  • Implement whitelisting technology to ensure that only authorized software is allowed to execute. 
  • Implement access control based on the principle of least privilege. 
  • Implement and maintain anti-malware solutions. 
  • Conduct system hardening to ensure proper configurations. 
  • Disable the use of SMBv1 (and all other vulnerable services and protocols) and require at least SMBv2.
  • Domain-based Message Authentication Reporting and Conformance (DMARC).  The DMARC protocol enables domain owners to specify which authentication method is used when sending emails. DMARC helps email receivers determine if the purported message "aligns" with what the receiver knows about the sender. If not, guidance is provided on how to handle the message. 
  • Protect your web domain.  Consider hiring a firm that will notify you of web domains that have been registered to deceptively look like your own; cybercriminals can use lookalike domains in BEC attacks to trick your employees or business partners into diverting funds.
  • Data Mining.  Data mining abuse box/phishing reporting and using the intelligence gained to prevent future attacks.
  • Passwords.  
    - Review password policies to ensure they align with the latest NIST guidelines and deter the use of easy-to-guess passwords.
    - Review IT helpdesk password management related to initial passwords, password resets for user lockouts, and shared accounts.
    - Regularly audit user passwords against common password lists, using free or commercial tools.
    - Provide pragmatic advice to users on how to choose good passwords.

Proper callback procedures

An appropriate process requires an employee, typically a payments staff member, to pick up the phone and validate new payment requests, requests to establish a new bank account, changes to payment instructions, and changes to contact information.
  • Callbacks should be made to the actual person making the request using a phone number retrieved from a system of record when setting up a new account, processing a request for payment, changing payment instructions, or changing contact information. Be wary of vendors who frequently change payment instructions. Fraudsters will sometimes provide several different accounts to victims during a BEC fraud attempt.  Confirm all of the account details, including the new account number.
  • Do not confirm payment instructions only via email. Always perform a call back using a phone number from a system of record to the person making the request.
  • If a callback is not currently a part of your company’s payment control process, try to implement one or escalate the issue to someone who can.
  • If you receive a call from your financial institution asking you to validate an unusual payment, take it seriously. It could be your last chance to stop a fraudulent payment before it’s too late. Double-check that your controls have been properly executed. Do not assume a callback has been performed.  Pay close attention to the information provided and reconfirm that your organization performed all applicable controls, including a callback. It is common to confirm payments as valid only to later report them as fraudulent.
  • Understand that once a payment has been released, there are no guarantees the funds will be recovered.
  • Keep your contact information up to date if your financial institution needs to reach you.
  • Do not trust payment instructions provided by a business partner. Always validate that whoever is providing the instructions has performed a separate validating callback to the actual requestor.

BEC Methods

  • Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.  The spoofed emails can be made to look like they are coming from anyone.  Scammers target employees with transactional authority (accounts payable, check signers, authorized individuals) or access to systems managing PII/W-2 data.  Emails often display a sense of urgency culminating in a request for money transfers, data, or gift cards.
  • Phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.  Emails attempt to entice users to click on a link that will take the user to a fraudulent website that appears legitimate or clicks on malicious attachments.  This is an attempt by attackers to solicit personal information, such as account usernames and passwords, these fraudulent websites may also contain malicious code.
  • Cloud-based email services.  Cybercriminals are targeting organizations that use popular cloud-based email services to conduct Business Email Compromise (BEC) scams. The scams are initiated through specifically developed phish kits designed to mimic the cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds. Many phishing kits identify the email service associated with each set of compromised credentials, allowing the cybercriminal to target victims using cloud-based services. Upon compromising victim email accounts, cyber criminals analyze the content of compromised email accounts for evidence of financial transactions. Often, the actors configure the mailbox rules of a compromised account to delete key messages. They may also enable automatic forwarding to an outside email account.  Using the information gathered from compromised accounts, cyber criminals impersonate email communications between compromised businesses and third parties, such as vendors or customers, to request pending or future payments are redirected to fraudulent bank accounts. Cybercriminals frequently access the address books of compromised accounts as a means to identify new targets to send phishing emails. As a result, a successful email account compromise at one business can pivot to multiple victims within an industry.

    While most cloud-based email services have security features that can help prevent BEC, many of these features must be manually configured and enabled. Better protect yourself from BEC by taking advantage of the full spectrum of protections that are available.  Depending upon the provider, cloud-based email services may provide security features such as advanced phishing protection and multi-factor authentication that is either not enabled by default or are only available at additional cost.
  • Malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or sends messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.  This data is then used to avoid raising suspicions when a falsified wire transfer is submitted
  • The bogus invoice scheme.  A business in a long-standing relationship with a supplier is asked to wire funds for settling invoice payments to a fraudulent account. Emails sent to employees with transactional authority (accounts payable, check signers, authorized individuals).  Threat actors may also send a link to what appears to be an invoice. The link may transmit sensitive information to the attackers or download malware. Threat actors target businesses with established relationships with a vendor or supplier.  Leveraging fake invoices, threat actors request payment through social engineering to a financial account under their control.
  • CEO fraud.  The CEO’s email account is spoofed or hacked, and a request to urgently transfer funds is sent to the employee who is responsible for processing these requests, or, sometimes, directly to the bank. It relies on employees executing orders from the top management without question. It is usually carried out under specific circumstances, such as when the CEO is out of office.
  • Compromised employee’s email account.  An employee’s personal account - used both for personal and business communication - is hacked and exploited to send requests to a list of vendors identified from his or her business contact list asking for invoice payments to a fraudulent bank account. This scam is tricky to identify unless a vendor directly contacts the company about the payment.
  • Attorney impersonation.  The con artists pose as lawyers or representatives of a law firm. They contact either an employee or the CEO of the company via phone call or email and claim to possess confidential information. They then push the target to act quickly or secretly in transferring funds. The scam usually takes place at the end of business days or weeks, when people are more vulnerable and ready to act quickly.
  • Data theft.  An employee’s email account is hacked and used to send a request to another employee in human resources, asking not for money but for personally identifiable information (PII) or tax statements.
  • Gift card.  In a typical example, a victim receives a request from their management to purchase gift cards for a work-related function or as a present for a special personal occasion. The gift cards are then used to facilitate the purchase of goods and services which may or may not be legitimate.  Some of these incidents are combined with additional requests for wire transfer payments. Sectors including technology, real estate, legal, medical, distribution and supply, and religious organizations have been targeted by this scam.
  • Direct deposit: In this variant, the scammers pose as the victim and email a direct deposit change request to the finance or human resources department. This results in the employee's paycheck being redirected to an account controlled by the scammer.
  • Vendor account change request: This variant is similar to the Direct Deposit Variant, although the request spoofs a vendor and requests the State, local, tribal, and territorial governments (SLTT) government modifies the vendor’s payment account. The next payment to the vendor is then sent to the updated account number, which belongs to the scammer.
  • Vendor purchase order: In this scheme, the scammers obtain publicly available purchase order forms and change the contact details on the forms to include different telephone numbers and email addresses. Occasionally, scammers create copycat websites to authenticate the contact information included on fraudulent purchase orders. The scammers submit the purchase order to a vendor, have the goods shipped, and sell them for profit while the bill goes to the affected entity.
  • Financial theft: In this variant, the scammers pose as an employee or senior official and request the department immediately wires money for a special purpose. Occasionally, the spoofed email will not directly reference a wire transfer, but rather specified that "transactions" need to be "set up and processed."

What to look for in an email:

  • Suspicious email address of the sender.  The email address of the sender(s) can mimic legitimate businesses. Threat actors often leverage email addresses that resemble reputable organizations but alter or omit a few letters and numbers.
  • Generic greetings and signatures.  Lack of contact information in an email signature block, or generic greetings such as "Sir/Ma’am" or "Dear Valued Customer" are strong indicators of a phishing email.
  • Misspelling and layout.  Odd sentence structure, misspellings, poor grammar, and inconsistent formatting are strong indicators of a potential phishing attempt.
  • Spoofed websites and hyperlinks.  When hovering a cursor over links in the body of an email, if links do not match, the link may be spoofed. Malicious variations from legitimate domains leverage different spellings or domains such as .net, vs .com. Other tactics include the usage of URL shortening services to conceal the true destination of links.
  • Suspicious attachments.  Unsolicited emails which request users to open or download attachments are common delivery mechanisms for malware.

Common Indicators (Red Flags):

  • E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
  • E-mailed transaction instructions direct wire transfers to a foreign bank account that has been documented in customer complaints as the destination of fraudulent transactions.
  • E-mailed transaction instructions direct payment to a beneficiary with which the customer has no payment history or documented business relationship, and the payment is in an amount similar to or in excess of payments sent to beneficiaries whom the customer has historically paid.
  • E-mailed transaction instructions include markings, assertions, or language designating the transaction request as "Urgent," "Secret," or "Confidential."
  • E-mailed transaction instructions are delivered in a way that would give the financial institution limited time or opportunity to confirm the authenticity of the requested transaction.
  • E-mailed transaction instructions originate from a customer’s employee who is a newly authorized person on the account or is an authorized person who has not previously sent wire transfer instructions.
  • A customer’s employee or representative e-mails financial institution transaction instructions on behalf of the customer that is based exclusively on e-mail communications originating from executives, attorneys, or their designees. However, the customer’s employee or representative indicates he/she has been unable to verify the transactions with such executives, attorneys, or designees.
  • A customer e-mails transaction requests for additional payments immediately following a successful payment to an account not previously used by the customer to pay its suppliers/vendors. Such behavior may be consistent with a criminal attempting to issue additional unauthorized payments upon learning that a fraudulent payment was successful.
  • A wire transfer is received for credit into an account; however, the wire transfer names a beneficiary that is not the account holder of record. This may reflect instances where a victim unwittingly sends wire transfers to a new account number, provided by a criminal impersonating a known supplier/vendor while thinking the new account belongs to the known supplier/vendor, as described in the above BEC Scenario 3. This red flag may be seen by financial institutions receiving wire transfers sent by another financial institution as the result of e-mail-compromise fraud.

Develop a BEC Response Plan

The sooner you report a BEC attack, the better your chances of recovering losses. Be sure to have a plan in place to immediately notify your financial institution of the fraud. 
  • For international wire transfers over $50,000, call your regional FBI office (https://www.fbi.gov/contact-us/field-offices) and local police.  The FBI offers a Financial Fraud Kill Chain (FFKC) process to help recover large international wire transfers stolen from the United States.  The FFKC is intended to be utilized as another potential avenue for U.S. financial institutions to get victim funds returned. 
  • Any wire transfers that occur outside of these thresholds should still be reported to law enforcement (http://www.ic3.gov/) but the FFKC cannot be utilized to return the fraudulent funds.  
  • The plan should also include quickly engaging your IT and information security staff to determine if there has been a network or email compromise.
  • Prepare any reports and notifications required by regulation, law, or policy and deliver as appropriate.
  • Prepare lessons learned reports and socialize as appropriate according to your site’s incident response policies.
  • Share incident details and lessons learned with appropriate management, board-level, or committee-level members.
  • Implement additional controls to minimize the risk of future attacks.

E-Mail Account Compromise (EAC) Schemes

Unlike BEC, EAC schemes target individuals instead of businesses. Individuals who conduct large transactions through financial institutions, lending entities, real estate companies, and law firms are the most likely targets of this type of scheme. EAC schemes often take the following forms:
  • Lending/Brokerage Services: A criminal hacks into and uses the e-mail account of a financial services professional (such as a broker or accountant) to e-mail fraudulent instructions, allegedly on behalf of a client, to the client’s bank or brokerage, to wire-transfer client’s funds to an account controlled by the criminal.
  • Real Estate Services: A criminal compromises the e-mail account of a realtor or of an individual purchasing or selling real estate, for the purposes of altering payment instructions and diverting funds of a real estate transaction (such as sale proceeds, loan disbursements, or fees). Alternately, criminals hack into and use a realtor’s e-mail address to contact an escrow company, instructing it to redirect commission proceeds to an account controlled by the criminal.
  • Legal Services: A criminal compromises an attorney’s e-mail account to access client information and related transactions. The criminal then e-mails fraudulent transaction payment instructions to the attorney’s financial institution. Alternatively, the criminal may compromise a client’s e-mail account to request wire transfers from trust and escrow accounts the client’s attorney manages.

BEC and Cryptocurrency

A cryptocurrency is a form of virtual asset that uses cryptography (the use of coded messages to secure communications) to secure financial transactions and is popular among illicit actors due to the high degree of anonymity associated with it and the speed at which transactions occur.

Currently, there are two known iterations of the BEC scam where cryptocurrency was utilized by criminals. In both situations, the victim is unaware that the funds are being sent to be converted to cryptocurrency.
  • A direct transfer to a cryptocurrency exchange (CE) - This scenario is where the fraudster alters wire transfer info and redirects payment to a cryptocurrency exchange (CE).
  • "Second Hop" transfer to a cryptocurrency exchange (CE) - Uses victims of other cyber-enabled scams such as Extortion, Tech Support, and Romance Scams. Often, these individuals provided copies of identifying documents such as driver's licenses, passports, etc., that are used to open cryptocurrency wallets in their names.  This scenario is where the fraudster opens a cryptocurrency wallet in another fraud victim's name.  The fraudster then alters a wire transfer in a BEC scam and sends the funds to the other victim's falsified cryptocurrency account and cashes out.  Making it hard to trace the movement of funds.

E-Mail Account Compromise (EAC) Schemes

BEC and EAC schemes are similar and, therefore, may exhibit similar suspicious behavior, which can be identified by one or more of the following red flags:
  • A customer’s seemingly legitimate e-mailed transaction instructions contain different language, timing, and amounts than previously verified and authentic transaction instructions.
  • Transaction instructions originate from an e-mail account closely resembling a known customer’s e-mail account; however, the e-mail address has been slightly altered by adding, changing, or deleting one or more characters. 
For example: 
  • Legitimate e-mail address - john-doe@abc.com
  • Fraudulent e-mail addresses - john_doe@abc.com, john-doe@bcd.com



Page Footer has no content