According to the FBI’s Internet Crime Complaint Center (IC3) between October 2013 – May 2016 there were 15,668 domestic and international victims of BEC. The combined exposed dollar amount losses of these crimes totaled $1,053,849,635.

What is BEC?

The victims of the BEC scam range from small businesses to large corporations. Over the years, the victims continue to span a wide variety of goods and services, indicating that a specific sector does not seem to be targeted. It is largely unknown how victims are selected; however, the subjects monitor and study their selected victims using social engineering techniques prior to initiating the BEC scam. The subjects are able to accurately identify the individuals and protocols necessary to perform wire transfers within a specific business environment. Victims may also first receive “phishing” e-mails requesting additional details regarding the business or individual being targeted (name, travel dates, etc.).

How Does BEC Typically Work?

Based on IC3 complaints and other complaint data, there are five main scenarios by which this scam is perpetrated. BEC victims recently reported a new scenario (Data Theft) involving the receipt of fraudulent e-mails requesting either all Wage or Tax Statement (W-2) forms or a company list of Personally Identifiable Information (PII). This scenario does not always involve the request for a wire transfer; however, the business executive’s e-mail is compromised, either spoofed or hacked, and the victims are targeted in a similar manner as described in Scenario 2 of the BEC scam.

Scenario 1: Business Working With a Foreign Supplier
Scenario 2: Business [Executive] Receiving or Initiating a Request for a Wire Transfer
Scenario 3: Business Contacts Receiving Fraudulent Correspondence through Compromised E-mail
Scenario 4: Business Executive and Attorney Impersonation
Scenario 5 : Data Theft

*For full descriptions of each scenario visit

The FBI offers the following representation of a typical BEC timeline:
Business Email Compromise timeline graphic
Image sourced from:

How Can I Protect My Business?

  • Create intrusion detection system rules. They flag emails with extensions that are similar to company email. For example, a legitimate email of would flag as a fraudulent email.
  • Register all company domains that are slightly different than your company’s actual domain.
  • Confirm requests for transfer of funds (when using phone verification as part of the two-factor authentication, use previously known numbers, not the numbers provided in the email request).
  • Verify changes in vendor payment location by adding additional two-factor authentication, such as having a secondary sign-off by company personnel.
  • Be suspicious of wire transfer payment requests with secrecy or pressure to take action quickly.
  • Know the habits of your customers, including the details of, reasons behind, and amount of payments.
  • Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.
  • Be wary of free, web-based email accounts, which are more susceptible to being hacked.
  • Be careful when posting financial and personnel information to social media and company websites.

“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.” Martin Licciardo, special agent, FBI Washington Field Office

What If It’s Too Late?

If you believe your firm has been a victim of BEC, or if you can confirm that funds have been transferred to a fraudulent account, it is important to act quickly.

  • Contact your financial institution immediately upon discovering the fraudulent transfer.
  • Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
  • Contact your local FBI office if the wire is recent. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
  • File a complaint, regardless of dollar loss, with the IC3.

It’s hard to guard against determined scammers, but knowing how they work can help. You can gain information about protecting your business by reading the Public Service Announcements provided by the FBI.


Tonya A McCaughey

VP, Retail Operations Manager

Tonya McCaughey - Headshot