What Is Business Email Compromise and How Can I Protect My Company?

Business Email Compromise (BEC) is a sophisticated scam where criminals use email to trick business owners and employees into sending money or sensitive information. Unlike typical spam, these attacks are targeted – the fraudster researches your company and crafts convincing messages that appear to come from someone you trust.

BEC is one of the most financially damaging scams affecting businesses today. The FBI reports that businesses lose billions of dollars each year to these attacks. Here’s how to recognize and prevent them.

How BEC Attacks Work

Scammers use several tactics to make their emails look legitimate:

Impersonating executives:

• The email appears to come from your CEO, CFO, or other company leader
• It urgently requests a wire transfer or sensitive employee information
• The “executive” might say they’re traveling or in a meeting and can’t talk on the phone

Fake vendor invoices:

• You receive what looks like a routine invoice from a vendor you actually use
• The only difference is the payment instructions – the bank account belongs to the scammer
• These often arrive right around the time you’d expect a real invoice

Compromised email accounts:

• Sometimes criminals actually hack into a real employee’s or vendor’s email account
• Messages then come from the legitimate email address, making them very hard to spot
• They may monitor the account for weeks to learn your payment patterns

Attorney or accountant impersonation:

• The scammer poses as a lawyer or CPA handling a “confidential” matter
• They create urgency around a “time-sensitive” transaction
• They may reference real details about your business to seem credible

Warning Signs of a BEC Attack

Learn to spot these red flags before authorizing any payment:

Unusual payment requests:

• A request to change payment methods (especially to wire transfer)
• Instructions to send money to a new bank account
• Urgent requests that bypass normal approval processes
• Requests to keep the transaction confidential

Pressure and urgency:

• Claims that the transfer must happen immediately
• Requests sent late in the day or before a holiday weekend
• Instructions not to call or verify by phone
• Threats of negative consequences if you don’t act fast

Something seems “off”:

• Slightly different email addresses ([email protected] vs. [email protected])
• Unusual tone or wording that doesn’t match how the person normally writes
• Grammar or spelling errors from someone who usually writes professionally
• Requests that don’t follow your company’s normal procedures

How to Protect Your Business

Implementing these practices can significantly reduce your risk:

Establish verification procedures:

• Always verify payment changes by phone – call the person at a number you already have on file, not one from the email
• Require verbal confirmation for any wire transfer or payment instruction change
• Never rely solely on email to authorize financial transactions
• Create a code word system for verifying urgent requests

Implement financial controls:

• Require two people to approve wire transfers
• Set up alerts for wire transfers above a certain amount
• Verify new vendor information independently before making payments
• Review bank statements regularly for unauthorized transactions

Train your team:

• Make sure all employees who handle payments know about BEC scams
• Encourage a culture where staff feel comfortable questioning unusual requests
• Practice: what would you do if the “CEO” emailed asking for an urgent wire transfer?
• Remind staff that it’s always better to verify and delay than to lose money

Secure your email:

• Use strong, unique passwords for all business email accounts
• Enable two-factor authentication on all email accounts
• Be cautious about what company information is shared publicly (scammers research you online)
• Report suspicious emails to your IT department or email provider

What to Do If You Suspect a BEC Attack

If you receive a suspicious email or think you may have been targeted:

1. Do NOT respond to the email or follow its instructions
2. Do NOT click any links or open attachments
3. Verify the request by calling the supposed sender at a known phone number
4. Alert your team so others don’t fall for the same email
5. Report it to your IT department or email provider
6. Contact your bank immediately if you’ve already sent money – quick action may help recover funds

If Money Was Already Sent

Time is critical. Take these steps immediately:

1. Call your bank right away – request a wire recall
2. File a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov
3. Contact local law enforcement and file a report
4. Preserve all evidence – save the emails, don’t delete anything
5. Review your security to understand how the attack succeeded

The Bottom Line

BEC attacks succeed because they exploit trust and routine business processes. The best defense is healthy skepticism and consistent verification procedures. Whenever something about a payment request seems unusual – even slightly – stop and verify before sending money. A legitimate business partner or executive will never fault you for taking time to confirm a request is real.

Need Help?

If you’ve received a suspicious email regarding your Bank of Marin business account, or if you believe you’ve been targeted by a BEC scam, contact us immediately at (866) 626-6004.