In a recent public service announcement, the FBI’s Internet Crime Complaint Center (IC3) identified a global scam all small-to-medium-sized businesses should especially be aware of, Business Email Compromises (BECs)

Last year saw an influx of BECs, a startling trend that the FBI predicts will increase with more victims and higher total dollar loss in 2015.

What Are You Up Against? The Stats:

After compiling the BEC complaints of victims in all states and 45 countries from October 2013, when the IC3 began tracking the scam, to December 2014, the following stats were recorded:

  • Total U.S. victims: 1198 – 56.35% of all combined victims
  • Total U.S. dollar loss: $179, 755, 367.08 – 83.62% of total combined dollar loss.

So in the past year, almost 1200 Americans have had $180 million stolen right out from under them, and the FBI expects this to only get worse in 2015!

Before I tell you what to expect or how to prevent this costly scam, let’s learn more about the threat that has the federal government buzzing…

What Is A Business Email Compromise?

The IC3 defines a BEC as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments.”

Note: While authorities still aren’t sure how attackers pick their victims, they are able to accurately “identify the individuals and protocol necessary to perform wire transfers within a specific business environment.”

Yes, these perpetrators can tailor their attacks to each of your SMB clients’ businesses.

Although BECs vary, they typically follow one of the following three versions: 

Version 1 – “The Bogus Invoice Scheme”

Also referred to as “The Supplier Swindle,” this attack occurs when the victim wires an invoice payment to a fraudulent account, usually through email. The scheme is sophisticated enough to replicate what would be a legitimate request, often going undetected.

Note: The amount of the fraudulent wire transfer request is business specific. Attackers request similar dollar amounts as those used in that business's normal transactions so as to not raise doubt.

Version 2 – “CEO Fraud”

In this instance, also called a “Business Executive Scam,” cyber-criminals gain access to the email accounts of company executives. They then send malicious funds transfer requests to the appropriate employee or directly to the bank.

Note: Fraudulent e-mails received have coincided with business travel dates for executives whose e-mails were mimicked.

Version 3

There’s no nickname for this version, but it occurs when an attacker hacks into an employee’s personal email account and requests invoice payments be made to fraudulent bank accounts. Attackers use their victims’ contact lists to send transfer requests to those employees’ business vendors. Unfortunately, these businesses may not know about this scam until it’s too late and the money has exchanged digital hands.

Note: The IC3 claims that personal email accounts are often hacked more than others.

So what can you expect from all three of these BEC variations? A well-thought out, sophisticated breach.


How Can You Prevent a BEC?

In response to this announcement, CMIT Solutions shared the 5 Ways to Protect Your Business Email from Cybercriminal Attacks, a helpful blog post for MSPs and SMB end users alike.

While you may understand how easy it is for attackers to compromise employees’ accounts, they might not know that a simple click of a button can endanger the data of the entire company. This is why client education is everything. They might not know that threats have evolved to target the user before they even access the web or give credit card information. 

Think of Cryptolocker for instance! The virus was such an epidemic because attackers used malicious files to infect devices, a channel by which many unsuspecting users thought they were safe. Do your clients know not to open any unknown or suspicious attachments? Threats like Cryptolocker are only going to evolve and become less detectable over time. It’s crucial you teach your end users the spectrum of cybercriminal schemes, such as BECs. 

For other email security best practices, make sure you check out CMIT's blog post.

BEC as a Form of Phishing

You’re likely familiar with the practice of phishing, in which attackers use malicious email or websites to gain access to personal and financial information by posing as a credible representative or organization. In this way, BECs act as another form of phishing. 

If you want to learn more, you should check out my blog post, Phishing Scams: What You Need to Know to Avoid Them.

The United States Computer Emergency Readiness Team (US-CERT) released a few preventative tips of its own. One of these is to “install and maintain anti-virus software, firewalls, and email filters to reduce some of this traffic.” We partner with Webroot so that our partners can protect their clients against these attacks and avoid the costly consequences of downtime. 

Click here for more US-CERT suggestions to protect against phishing scams.


Like most MSPs, you surely know all about these Business Email Compromises (BECs). You may have even had to deal with the aftermath of a few when your clients' systems were infected. Phishing is by no means a new phenomenon, but it's one that's been gaining more steam in our increasingly digital business landscape. If the FBI thinks it deserves more attention and precautionary measures, you know these threats aren't going away any time soon.

As your clients' trusted business advisor, it's your job to safeguard their data. Often, that means saving data from the end users, themselves. That's why we advocate regular cybersecurity education! Rather than lose everything, have your clients gain your security insight. Some lessons shouldn't be learned the hard way.

What other dangers do you have to watch out for?