Business email compromise: What you can do to prevent fraud and recover funds

Fight back against this major cyber threat.

Business Email Compromise is one of the greatest cyber threats to businesses of all sizes and industries, particularly those involved in regular wire transfers of funds. According to the Federal Bureau of Investigation, between June 2016 and December 2021, BEC scams were reported in all 50 states and 177 countries, with more than 140 countries receiving fraudulent transfers. These statistics are based on information reported to the FBI by victims, law enforcement, and the banking community. Actual and attempted dollar losses associated with these reports exceed $43 billion. Because these numbers are based only on compromises that have been reported, the true cost of BEC scams is in all likelihood much greater.

You can protect yourself, your family, and your business from BEC and redirected wire fraud schemes by knowing what to look for, how to defend against the social engineering used to perpetrate these schemes, and whom to call if you discover a wire redirection fraud scheme.

What is a BEC? 

BECs frequently occur after a criminal threat actor compromises or accesses a legitimate business or personal email account through social engineering or computer intrusion. BEC criminal actors can also use spoof (fake) accounts that appear to come from a trusted source or party to a funds transfer but are created solely to facilitate the fraud scheme.  

How does a BEC occur?   

BECs normally occur in three steps.

Step One – Targeting of high-value accounts. Criminal threat actors target email accounts for compromise based on open source intelligence and social engineering. Think about your business – are your Accounts Payable employees listed on your website? Do your employees have accounts on LinkedIn that list their positions and duties? Threat actors scan the internet and social media to identify potential high-value targets for account compromise.

Step Two – Account compromise.  Email accounts are typically compromised as a result of a credential harvesting phishing attack. An email received by the account user appears to include a legitimate link that prompts the user to enter the user’s email account login and password.  Once the credentials are entered and harvested, the threat actor can log into the account virtually undetected and take any action that the legitimate user can take. This includes the ability to access emails, create rules (usually to delete emails or move emails to obscure folders to hide threat actor activity from the true user), apply search terms to look for outstanding invoices, and even send emails from the account that impersonate the user. A compromise can continue undetected for days, weeks, or even months.

Step Three – Redirected payment(s)Often threat actors will then insert themselves into existing email chains and provide “updated” or revised wire instructions for payments.   Unsuspecting parties then issue payments to accounts that do not belong to the intended recipients. After payment to the account controlled by the threat actor, the threat actor may send emails to one or both parties of a transaction, in an effort to delay the discovery of the redirected funds.

Best practices to prevent wire redirection fraud

Any user can easily fall victim to a BEC.  Threat actors are becoming increasingly sophisticated and creative with their attempts to compromise user accounts.  Here are some practical tips to prevent fraud and data compromise:

  • Develop and implement a written internal policy for invoice payments and updates to wire instructions.
  • Flag requests for extra scrutiny if they attempt to bypass normal channels.
  • Call and verify any updated payment request with known previous contact information, not the contact listed in the email that sent the request. Threat actors often manipulate email signatures to redirect telephone calls.
  • Ensure settings are enabled to allow full email extensions to be viewed on employees’ computers (not just the name, which can be spoofed).
  • Closely analyze emails that display poor grammar, frequent misspellings, or odd word usage. Threat actors often use the phrase “please kindly” in wire redirection fraud scams.
  • If using a mobile device in wire transactions, verify the full email address (as opposed to the name that appears).
  • Encourage employees to pause and verify information before sending payment. Threat actors employ tactics including pressured timelines and the need for quick turn-arounds.
  • Enforce multifactor authentication on all employee email accounts.
  • Train all employees on how to spot a potential BEC. These scams exploit human error and require a people-centric defense to prevent, detect, and respond to the wide range of BEC techniques.

Best practices to recover funds

The Financial Fraud Kill Chain is a process that allows victims to recover international wire transfers originating from U.S. bank accounts. FFKC is a partnership between the FBI, the Financial Crimes Enforcement Network of the U.S. Treasury (also known as FinCen), and law enforcement. It can typically be implemented only for international wire transfers of $50,000 or more and must be used within 72 hours of the fraudulent wire transfer. Reports should be made to Internet Crime Complaint Center of the FBI (also known as IC3) and the victim’s bank with a wire recall request. These reports should be made as soon as possible.  

For wires that do not meet the FFKC standards, parties should submit a wire recall request to involved banks as soon as possible. Redirected funds are most likely to be recovered when the fraud is reported and the wire transfer recalled no more than 72 hours after the transfer. 

The Constangy Cyber team has significant experience with BECs. Our attorneys have worked on thousands of  investigations and wire recovery efforts. If you or your organization discover a data compromise, or you would like additional information on how to prepare your organization to prevent BECs, we are available to help 7 days a week, 24 hours a day. Please feel free to contact us at    

  • Donna  Maddux

    Donna is a partner in Constangy’s Portland office and a member of the Constangy Cyber Team. Donna evaluates the severity of potential data security incidents, such as ransomware attacks, company email compromise, and other ...

The Constangy Cyber Advisor posts regular updates on legislative developments, data privacy, and information security trends. Our blog posts are informed through the Constangy Cyber Team's experience managing thousands of data breaches, providing robust compliance advisory services, and consultation on complex data privacy and security litigation. 


* indicates required
Back to Page