Blog
← Back to Blog
July 22, 2017 financial

Business Email Compromise: The $5 Billion Scam You've Never Heard Of

Business email and wire transfer fraud concept

Ransomware gets the headlines. Data breaches make the news. But the FBI's latest Internet Crime Report reveals that business email compromise (BEC) has cost organizations over $5 billion globally since 2013. That makes it one of the most financially damaging cybercrime categories in existence.

And it doesn't require a single line of malware.

How BEC Works

BEC scams follow a consistent pattern:

  1. Research: The attacker identifies the business, its leadership, and its financial processes. They study LinkedIn profiles, company websites, and social media to understand the organization's structure.
  2. Impersonation: The attacker either compromises an executive's actual email account (through phishing or credential theft) or creates a lookalike email address (matt@robel1tech.com instead of matt@robelltech.com).
  3. The ask: They send an urgent email to someone with financial authority, requesting a wire transfer, vendor payment, or purchase of gift cards.
  4. Execution: The recipient, believing the request is legitimate, sends the money.
  5. Disappearance: The funds are transferred through multiple accounts and withdrawn, usually within hours.

Common BEC Scenarios

CEO Fraud

"I need you to wire $35,000 to this account for an acquisition we're working on. It's confidential, so please handle it quietly." The email appears to come from the CEO. The urgency and confidentiality request are designed to prevent the recipient from verifying through normal channels.

Vendor Impersonation

"Our banking information has changed. Please update your records and send future payments to this new account." The email appears to come from a vendor you regularly pay. The new account belongs to the attacker.

Attorney Impersonation

"I'm handling a matter for [your company]. Please wire the retainer to this trust account." For law firms, this can go the other direction: "I'm [client name]. Please send the settlement proceeds to this new account."

Payroll Diversion

"Hi, this is [employee name]. I'd like to update my direct deposit information. Please use this new bank account going forward." The next paycheck goes to the attacker.

Why It Works

BEC exploits trust and authority, not technology. There's no malware to detect. No suspicious attachment to block. No malicious link to filter. It's a social engineering attack that relies on convincing someone to do something they're authorized to do: send money.

The average BEC loss is $130,000. Some are much higher. A Lithuanian man was recently convicted of stealing $121 million from Google and Facebook using BEC scams.

Protecting Your Practice

  • Verbal verification for all financial requests. Any email requesting a wire transfer, payment change, or direct deposit update gets verified with a phone call. Use a known number, not one from the email.
  • Two-person authorization. No single person should be able to initiate a wire transfer alone. Require dual approval for any transfer above a threshold.
  • Scrutinize email addresses. Look carefully at the sender's actual email address, not just the display name. One character difference is all it takes.
  • Delay urgency. BEC emails create artificial urgency. Build a culture where financial requests always go through proper channels, regardless of claimed urgency.
  • Verify vendor changes. When a vendor requests a change to their banking information, call them at a known number to confirm. This simple step prevents the most common BEC variant.
  • Secure your own email. If your email account is compromised, it can be used to BEC your vendors, partners, and employees. Two-factor authentication. Strong passwords. Email security monitoring.

$5 billion lost. No malware. No hacking. Just well-crafted emails and human trust. The defense is procedural, not technical. Build the procedures before you need them.