Business email compromise (BEC) is an online scam where a cybercriminal impersonates a business representative to trick you, an employee, customer or vendor into transferring money or sensitive information to the scammer.
To begin, a cybercriminal impersonates a trusted person using an email address that appears to be legitimate (this is known as "masquerading"). To do this, they may use a username that is almost identical to the trusted person's name, or a domain that is almost identical to the name of the trusted person's company. Alternatively, they could replace the "from" or "reply-to" text with the trusted person's exact email address (this is called email "spoofing"), or they could even gain remote access to the trusted person's actual email account.
The cybercriminal then sends a legitimate-looking message to the target requesting money or sensitive information.
BEC usually takes one of four basic forms:
Executive fraud: The cybercriminal successfully masquerades an executive's email address and then sends a message to staff in your business directing them to transfer funds to the scammer's account.
Legal impersonation: The cybercriminal masquerades as a lawyer or legal firm representative requesting payment for an urgent and sensitive matter.
Invoice fraud: The cybercriminal masquerades as a trusted supplier and sends a fake invoice to your business. In these scams, the cybercriminal often has control of the supplier's email account and can access legitimate invoices. The cybercriminal changes these invoices to include new bank account details and then sends the invoices to customers from the supplier's email account.
Data theft: Instead of requesting funds, a cybercriminal may masquerade as a trusted person to request sensitive information. This information can then also be used as part of a larger and more damaging scam.
Because these scams don't use malicious links or attachments, they can get past anti-virus programs and spam filters.