Preventing BEC scams: A guide to help protect your organization

Read Time: 4 Min
BEC is one of the most financially damaging online crimes. Learn how to identify and help protect against this type of email scam.

By Amber Buening, Security Outreach Director at Huntington National Bank

Key takeaways

  • Business email compromise (BEC) is a sophisticated phishing attack that targets individuals, businesses, and organizations – and can cost billions.
  • Pay attention to BEC “red flags,” such as a sense of urgency, unusual financial requests, or grammar errors. Identifying an attempt can help you avoid becoming a victim.
  • BEC prevention best practices can help keep employees and their organizations safe, including: Using strong passwords, turning on multifactor authentication, recognizing and reporting phishing attacks, and prioritizing vulnerability management.

Cybercriminals have long been exploiting our reliance on email to conduct business. Of the many types of cyberattacks aimed at email inboxes, organizations have been increasingly focused on business email compromise (BEC) – and for a good reason. BEC has rapidly become one of the most financially damaging online crimes.

In 2023, the FBI’s Internet Crime Complaint Center (IC3) received 21,489 BEC complaints amounting to more than $2.9 billion in losses, up from nearly $2.7 billion in 2022.

What makes the threat of BEC so high is that this scam preys on our human nature to trust or be helpful, attempts can be difficult to identify, and the recovery of funds can be a challenge. While the IC3’s Recovery Asset Team successfully froze $538.39 million in funds for victims who made transfers to U.S. accounts under fraudulent pretenses in 2023, many organizations were unable to recover some or all of their funds lost through BEC.

Impressing the importance of verifying information, acting calmly, and being on the lookout for BEC can go a long way in helping you avoid a costly attack. In this article, we will explain how BEC works, which red flags might signal a scam, and how to help protect your organization and employees from this cybercrime on the rise.

What is BEC, and how does it work?

Business email compromise (BEC) is a sophisticated phishing attack that targets individuals, businesses, and organizations. Threat actors use a variety of techniques to convince an email recipient that a message is coming from a legitimate and trusted source. These messages often mimic previous emails sent from a known party and exploit existing trusted relationships, making them difficult to identify.

In some BEC scams, threat actors can gain access to and monitor the email accounts of business executives or employees to imitate their actions. Other methods of BEC attack include using malware or sending phishing and/or spear phishing emails.

The purpose of this scam is to steal money or sensitive data, so these messages may typically request the recipient send funds through wire transfers, gift cards, or other online person-to-person payment platforms. The fraudulent payments might be transferred several times between banks and accounts to ensure the funds are quickly dispersed before being caught.

One rising trend noted by the IC3’s 2023 report is the use of cryptocurrency in fraud, likely because cryptocurrency’s added anonymity makes it an attractive option for cybercriminals. Cryptocurrency investment fraud complaints reached $3.96 billion, up 53% compared to the previous year§. An increasing number of BEC complaints have included cryptocurrency exchanges or requests for funds to be sent directly to a cryptocurrency platform.

Watch out for these BEC red flags

While BEC emails are designed to be convincing, there are certain indicators that can help alert you to a potential scam. If you receive an email with any of these potential red flags below, think twice before responding or taking action:

  • Portraying a sense of urgency, especially during a crisis.
  • Insisting on confidentiality.
  • Sending messages at inopportune times, such as at the end of business hours or during high customer volume.
  • Changing email addresses, removing recipients from an email chain, or changing the reply-to email address.
  • Containing poor formatting, unusual tone, and uncommon misspellings.
  • Refusing to communicate in person or verbally.
  • Requesting to move money to a new account, personal account, subsidiary account, or an atypical destination.
  • Asking for unusual payment amounts or payments without proper justification.

There won’t always be a clear sign that an email is a BEC attempt in disguise. In most situations, trusting your instincts and following procedure can protect you.

“These emails can be very hard to detect, especially when a customer’s or vendor’s email account has been compromised because the BEC isn’t coming from a spoofed email address – it’s coming from a sender address that you know and trust. Any changes in your usual process, especially processes that involve moving money, should be a red flag. When in doubt, pick up the phone and call the contact at the number you already know to be their number. It only takes a minute to check.”

Lisa Plaggemier
Executive Director, National Cybersecurity Alliance

BEC prevention best practices

In addition to watching out for the potential BEC indicators above, following these recommendations below can help you protect yourself and your business from becoming victims. These best practices align with those recommended by the Cybersecurity & Infrastructure Security Agency, which promotes cybersecurity awareness and resiliency.

1. Always follow established business protocols

  • Adhere to standard business processes for remittance processing.
  • Understand your responsibilities and liabilities in processing and approving funds.
  • Follow your procedures and call the company directly from the established phone numbers on file – never call the number or email the address included in the suspicious email. Always verify via other channels that you are still communicating with your legitimate business partners.

2. Monitor payment methods and changes

  • Establish other communication channels, such as telephone calls, to verify significant transactions. Consider having additional protocols in place for larger transactions to ensure that only authorized personnel can commit to the disbursement of funds.
  • Avoid using paper checks and instead consider using Automated Cleaning House (ACH) or other electronic payment methods whenever possible.
  • If applicable, consider accepting electronic deposits or using remote deposit capture, safeguarding remotely deposited items, and shredding them once clear.

3. Treat emails and other forms of communication with caution

  • Immediately delete unsolicited emails (spam) from unknown parties. Do NOT open spam emails or click on links in the email.
  • Avoid responding to a bad actor via email by asking employees to create a new email and use or type in a name and address on file instead of using the “reply” option.
  • Establish a company website domain and use it to establish company email accounts in lieu of free, web-based accounts.
  • If something feels off about an email, text message, or phone call, it probably is. When in doubt, get a second opinion.

4. Recognize and report phishing attempts

  • Be suspicious of requests for secrecy or pressure to act quickly.
  • Both entities on either side of the transaction should use digital signatures whenever possible. If you have any suspicions before signing, call the company directly from the established phone numbers on file.
  • Be careful what you and your employees post to social media and company websites, especially job duties/descriptions, personally identifiable information (e.g. email address, phone number, etc.), and hierarchical information. This information can be used to launch personalized cyberattacks.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when previous official correspondence has been on a company email, the request could be fraudulent.
  • Use your company’s established IT/Cybersecurity reporting options to report suspicious emails, such as flagging it in your company’s email server.

5. Implement enhanced security measures

  • Implement two-factor authentication for your email servers and remote access devices.
  • Enforce the use of strong passwords and consider using a password manager to keep them secure.
  • Prioritize vulnerability management by keeping networks, software, operating systems, and equipment updated with the latest patches.

6. Act quickly

  • Act quickly in the event of an incident and promptly report it to the appropriate person or team in your organization.

Remain vigilant to safeguard your organization

Cybercrime continually evolves as organizations implement new preventative and protective measures. Losses from business email compromise, phishing, and other cyberattacks are not always recovered, which could have devastating effects on your business. Building strong cybersecurity defenses and developing a security culture can help you and your employees remain vigilant against ongoing threats. Contact your relationship manager for more information about protecting your organization against cybersecurity threats.

Financial & industry insights delivered to your inbox.

Subscribe to Huntington Insights

Sign up to receive emails about our latest articles, case studies, and events on topics that matter most to your business.
Subscribe

Related Content

Cybersecurity & Fraud
Cybersecurity & Fraud
Understanding cybersecurity best practices can help protect your organization against bad actors and better manage risk. Read about threat trends, security insights, combatting fraud, and more from Huntington’s cybersecurity team.
Cybersecurity & Fraud
Read Time: 5 Min
Five password security best practices to defend your data
Passwords are your first line of defense against cybercriminals and data breaches. Strong password management practices can help keep your organization safe.
April 04, 2025

FBI Internet Crime Complaint Center. 2024. “Federal Bureau of Investigation Internet Crime Report 2023.” Accessed October 4, 2024.  

FBI Internet Crime Complaint Center Report.

§ FBI Internet Crime Complaint Center Report.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.