The widespread reliance on email has made it a prime target for cybercriminals. Over the past few years, a form of cyberattack known as business email compromise (BEC) has escalated in frequency and impact, causing significant financial and reputational damage to victim companies.
What is business email compromise?
BEC is an email-based fraud scheme that often unfolds over several weeks or months. Cybercriminals target businesses by infiltrating or mimicking employee email accounts to pose as a known contact or existing supplier. These fraudulent emails request fund transfers to fake accounts. Because the requests appear routine and come from what seems like a trusted source, the victim may unknowingly authorize payments to criminals.
BEC: Business examples
One of the most challenging aspects of BEC is that it’s often months before the target realizes they’ve been a victim of fraud. Below are two examples of how criminals can use BEC to defraud business clients.
- A business employee receives an email that appears to be from a vendor but is actually spoofed by a fraudster. The email states that the vendor’s bank account information has changed and provides new payment instructions. Since the email appears to be from a known contact and requests a regularly occurring payment amount, the employee authorizes the payment without suspicion. A few months later, the true vendor notifies the business that they have not received payment.
- An HR representative receives an email that appears to be from an internal employee’s email account with new direct deposit instructions for payroll. When the employee contacts HR about not receiving their next expected payroll, the company realizes they are the victim of a hacker.
How AI is making BEC harder to detect
Cybercriminals now use artificial intelligence (AI) to make BEC scams much harder to spot. AI tools can mirror an executive’s writing style, pull details from public sources, and craft emails that look authentic — without the spelling or grammar mistakes common in older scams. Criminals can also time their attacks for when teams are busiest, or key staff members are away. As these traditional warning signs disappear, organizations need stronger verification steps and heightened awareness to help prevent fraud.
Tips for protecting your business from BEC fraud
Remember, it only takes one deceived employee fulfilling a fraudulent request to victimize your entire company. To help your business avoid being defrauded by BEC schemes:
- Ensure all employees, particularly those with financial authorization, understand how BEC works and know what to look for.
- Enforce a strict policy to never alter payment instructions without verifying directly with the requester using a previously verified phone number — not one provided in the email.
- Require multiple levels of approval from authorized employees for all outgoing payments.
- Scrutinize all emails that request urgent action regarding transactions or sensitive information.
- Verify payment requests and confirm receipt of payment via trusted contact information.
- Review accounts frequently for suspicious transactions or unusual activity.
- Enable AP automation to help secure payment processes, monitor activity and transactions, and authenticate vendors and payment requests.
What to do if your business becomes a victim of fraud
If you suspect your business has been targeted by fraud, immediately contact any financial institution where you maintain an account.
Compliments of KeyBank – a member of the EACCNY
![European American Chamber of Commerce New York [EACCNY] | Your Partner for Transatlantic Business Resources](https://eaccny.com/wp-content/uploads/2020/06/eaccny-logo.png){kind=logo}