Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.
How Criminals Carry Out BEC Scams
A scammer might:
- Spoof an email account or website. Slight variations on legitimate addresses (firstname.lastname@example.org vs. email@example.com) fool victims into thinking fake accounts are authentic.
- Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.
How to Report
If you or your company fall victim to a BEC scam, it’s important to act quickly:
- Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.
- Next, contact your local FBI field office to report the crime.
- Also file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
How to Protect Yourself
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressing you to act quickly.
Public Service Announcements from IC3
02.16.2022 Business E-mail Compromise: Virtual Meeting Platforms
Between 2019 and 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms.
04.06.2020 Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services, Costing U.S. Businesses More Than $2 Billion
Cyber criminals are targeting organizations that use popular cloud-based email services to conduct BEC scams.
09.10.2019 Business Email Compromise: The $26 Billion Scam
Business email compromise/email account compromise is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
Related FBI News and Multimedia
Dozens Sentenced for Their Roles in Atlanta-Based Fraud and Money Laundering Operation That Stole More Than $30 Million From Individuals and Companies
More than three dozen individuals have been sentenced for their involvement in a large-scale fraud and money laundering operation.
United States Files Forfeiture Action to Recover Crypto Proceeds Traceable to Cyber Fraud Scheme
The United States Attorney’s Office filed a civil forfeiture action to recover cryptocurrency alleged to be proceeds of a business email compromise fraud scheme.
American Living in Brazil Admits to Business Email Compromise Scheme
Michael Knighten, a U.S. citizen who had been living in Brazil, has pleaded guilty to wire fraud.
Recruiter and Director of Money Mule Sentenced to Two Years in Prison for Participation in Business Email Compromise Scheme
Lucy Beswick was sentenced to prison for her role in a business email compromise scheme that affected numerous corporate and individual victims throughout the nation.
South Carolinians Report $100 Million in Losses in Annual IC3 Report
The FBI's IC3 has released its annual 2022 Internet Crime Report and accompanying state reports, which show South Carolinians reported more than $100 million in losses.
Framingham Man Sentenced in Business Email Compromise Scheme
Gustaf Njei was sentenced to 27 months in prison and two years of supervised release for his role in a business email compromise (BEC) scheme.
Georgia Cyber Fraud Task Force Marks Two Years Addressing the Laundering of Cyber-Enabled Fraud Proceeds in the Metro-Atlanta Area
Cyber-enabled crimes cost Georgia residents almost $144 million in 2021, with losses attributed to BEC schemes, investment scams, and confidence or romance scams topping the list of frauds.
Nigerian Nationals Victimize U.S. Persons Through Cyber-Enabled Fraud Schemes
Solomon Ekunke Okpe and Johnson Uke Obogo, both Nigerian nationals, each pleaded guilty to conspiracy to commit wire, bank, and mail fraud.
California Man Charged with Laundering Money Obtained from Internet-Related Fraud
Charles Singleton of Los Angeles, California, has been indicted for laundering money obtained from business email compromises.
Ten Charged in Business Email Compromise and Money Laundering Schemes Targeting Medicare, Medicaid, and Other Victims
The U.S. Department of Justice announced charges today against 10 defendants in multiple states in connection with multiple business email compromise schemes.