BUSINESS EMAIL COMPROMISE

Back to Security Center

Business Email Compromise (BEC) is a type of fraud where criminals impersonate a trusted contact—such as a vendor, employee, or executive—to trick you into sending payments to the wrong account.

How the Scam Works

Fraudster uses one or more of the following tactics:

Phishing

An employee receives an email that includes a malicious link or attachment.

Domain spoofing

The attacker creates an email address that closely resembles a real one - for example, replacing ".com" with ".co" or swapping one letter in the company name.

Email forwarding rules

After accessing a legitimate account, a fraudster may set up automatic forwarding to monitor messages or intercept payment confirmations.

Common Fraud Scenarios

Change of direct deposit

The fraudster intercepts payroll or HR communications and submits a request to reroute an employee’s salary to a fraudulent account.

Change of vendor payment details

The fraudster monitors vendor emails and sends updated payment instructions, causing payments to be redirected to the fraudster.

Interception of Fraud alerts or confirmations

Security alerts, password reset emails, or payment confirmations are forwarded or hidden, preventing the legitimate user from detecting suspicious activity.

Common Targets

• Municipalities and government entities
• Businesses of all sizes
• Nonprofits
• Schools or Universities

Key Warning Signs

• Sudden change in payment instructions (different financial institutions, new account number or routing numbers)
• Changes to vendor contact details (e.g. new phone number or email from payment verification)
• Emails that feel slightly off or unusual (e.g. different tone, grammar or signature)
• Small changes in email addresses (e.g. company.com to campny.com, or altered characters)
• Instructions to mail a check to a different address or new address
• Urgent or confidential payment request (e.g. pressure to send a wire, check or ACH immediately or “keep this between us”)
• Unusual timing or context (e.g. outside business hours or unexpected requests)
• Requests that bypass normal procedures

How to Protect Your Business

• Train employees regularly. Include BEC awareness as part of onboarding or routine training. Reinforce how to identify suspicious messages and what to do when one is received.
• Verify every transfer. Never authorize or initiate a wire or ACH transfer or issue a check solely based on an email request. Call the person or company directly using a known documented phone number to confirm.
• Implement dual controls. When possible, require two people to review and approve all payment requests or changes to vendor account details.
• Use multifactor authentication (MFA). Adding an extra layer of protection makes it harder for criminals to access email or financial systems, even if a password is compromised.
• Limit public information. Avoid posting financial or personal details online that could help scammers impersonate your organization.
• Register similar domains. Protect your brand by purchasing web domains that resemble your company’s name, including common misspellings or alternative endings like “.co” or “.net.”
• Regularly review email forwarding and inbox rules.
• Test and review regularly. Conduct phishing simulations and social engineering tests to measure employee awareness and update your policies based on results.

If you suspect you are being defrauded or are a victim of fraud

• Disconnect the call immediately. Do not click on links sent via text or email.
• Contact your bank immediately.
• Attempt to recall the payment.
• Report the incident to your internal security team.
• Notify the affected vendor.
• Contact law enforcement (e.g. FBI/IC3 and local police).