Business email compromise (BEC)—also known as email account compromise (EAC)—is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business—both personal and professional.
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.
A scammer might:
- Spoof an email account or website. Slight variations on legitimate addresses (firstname.lastname@example.org vs. email@example.com) fool victims into thinking fake accounts are authentic.
- Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.
If you or your company fall victim to a BEC scam, it’s important to act quickly:
Public Service Announcements from IC3
02.16.2022 Business E-mail Compromise: Virtual Meeting Platforms
Between 2019 and 2021, the FBI IC3 has received an increase of BEC complaints involving the use of virtual meeting platforms.
04.06.2020 Cyber Criminals Conduct Business Email Compromise Through Exploitation of Cloud-Based Email Services, Costing U.S. Businesses More Than $2 Billion
Cyber criminals are targeting organizations that use popular cloud-based email services to conduct BEC scams.
09.10.2019 Business Email Compromise: The $26 Billion Scam
Business email compromise/email account compromise is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests.
Related FBI News and Multimedia
Niselio Barros Garcia Jr., of Florida, pleaded guilty to money laundering for his role in funneling the proceeds of scams against American consumers and businesses to co-conspirators located in Nigeria.
Pierre Yvelt Almonor of Miami Gardens, Florida, was sentenced to 51 months in prison for his role in a conspiracy to launder illegal proceeds.
Olusegun Samson Adejorin, of Nigeria, was indicted for wire fraud, aggravated identity theft, and unauthorized access to a protected computer.
Acting United States Attorney Susan Lehr announced the extradition of Afeez Akinloye, 42, a Nigerian national, from South Africa to the District of Nebraska.
The FBI Memphis Field Office, which covers middle and west Tennessee, is reminding Tennesseans to look out for scams designed to steal your money and personal information.
The U.S. Attorney’s Office and the FBI have seized and filed a civil asset forfeiture complaint against $1,187.677.94 that was traceable to a business email compromise attack.
Alex Ogunshakin of Nigeria, who was on the FBI Cyber’s Most Wanted List, has been extradited to Nebraska for conspiracy to commit wire fraud.
The FBI Springfield Field Office is marking Cybersecurity Awareness Month this October by directing attention to the ever-increasing number of Internet crimes and cyberattacks.
Chibundu Joseph Anuebunwa has been sentenced to 66 months in prison for his role in fraudulent business email compromise scams that targeted thousands of victims.
Timy Hakim of Michigan received two years in prison and an additional six months in home detention for his participation in a conspiracy to defraud at least 15 victims.