Preventing BEC scams: A guide to help protect your organization

Read Time: 4 Min
BEC is one of the most financially damaging online crimes. Learn how to identify and help protect against this type of email scam.

Cybercriminals have long been exploiting our reliance on email to conduct business. Of the many types of cyberattacks aimed at email inboxes, organizations have been increasingly focused on business email compromise (BEC) – and for a good reason. BEC has rapidly become one of the most financially damaging online crimes.

In 2022, the FBI’s Internet Crime Complaint Center (IC3) received 21,832 BEC complaints amounting to more than $2.7 billion in losses, up from nearly $2.4 billion in 2021.

What makes the threat of BEC so high is that this scam preys on our human nature to trust or be helpful, attempts can be difficult to identify, and the recovery of funds can be a challenge. While the IC3’s Recovery Asset Team successfully froze $433 million in funds for victims who made transfers to U.S. accounts under fraudulent pretenses in 2022§, many organizations were unable to recover some or all of their funds lost through BEC.

Impressing the importance of verifying information, acting calmly, and being on the lookout for BEC can go a long way in helping you avoid a costly attack. In this article, we will explain how BEC works, which red flags might signal a scam, and how to help protect your organization and employees from this cybercrime on the rise.

What is BEC, and how does it work?

Business email compromise (BEC) is a sophisticated phishing attack that targets individuals, businesses, and organizations. They then use a variety of techniques to convince an email recipient that a message is coming from a legitimate and trusted source. In some BEC scams, threat actors can gain access to and monitor the email accounts of business executives or employees to imitate their actions. Other methods of BEC attack include using malware or sending phishing and/or spear phishing emails.

The purpose of this scam is to steal money or sensitive data, so these messages may typically request the recipient send funds through wire transfers, gift cards, or other online person-to-person payment platforms. The fraudulent payments might be transferred several times between banks and accounts to ensure the funds are quickly dispersed before being caught.

One rising trend noted by the IC3 in 2022 is the use of cryptocurrency in fraud, likely because cryptocurrency’s added anonymity makes it an attractive option for cybercriminals. Cryptocurrency investment fraud complaints reached $2.57 billion, up 183% compared to the previous year. An increasing number of BEC complaints have included cryptocurrency exchanges or requests for funds to be sent directly to a cryptocurrency platform.

Watch out for these BEC red flags

While BEC emails are designed to be convincing, there are certain indicators that can help alert you to a potential scam. If you receive an email with any of these potential red flags below, think twice before responding or taking action:

  • Portraying a sense of urgency, especially during a crisis.
  • Insisting on confidentiality.
  • Sending messages at inopportune times, such as at the end of business hours or during high customer volume.
  • Changing email addresses, removing recipients from an email chain, or changing the reply-to email address.
  • Containing poor formatting, unusual tone, and uncommon misspellings.
  • Refusing to communicate in person or verbally.
  • Requesting to move money to a new account, personal account, subsidiary account, or an atypical destination.
  • Asking for unusual payment amounts or payments without proper justification.

Help protect yourself against BEC

In addition to watching out for the potential BEC indicators above, following these recommendations can help you protect yourself and your business from becoming victims:

  1. Always follow established processes and protocols for remittance processing.
  2. Understand your responsibilities and liabilities in processing and approving funds.
  3. Treat emails with caution. Immediately delete unsolicited emails (spam) from unknown parties. Do NOT open spam emails or click on links in the email.
  4. Use your company’s established IT/Cybersecurity reporting options to report suspicious emails, such as flagging it in your company’s email server.
  5. Follow your procedures and call the company directly from the established phone numbers on file – never call the number or email the address included in the suspicious email. Always verify via other channels that you are still communicating with your legitimate business partner.
  6. Avoid responding to a bad actor via email by asking employees to create a new email and use or type in a name and address on file instead of using the “reply” option.
  7. Be suspicious of requests for secrecy or pressure to act quickly.
  8. Implement two-factor authentication for your email servers and remote access devices.
  9. Establish other communication channels, such as telephone calls, to verify significant transactions. Consider having additional protocols in place for larger transactions to ensure that only authorized personnel can commit to the disbursement of funds.
  10. Both entities on either side of the transaction should use digital signatures whenever possible. If you have any suspicions before signing, call the company directly from the established phone numbers on file.
  11. Establish a company website domain and use it to establish company email accounts in lieu of free, web-based accounts.
  12. Be careful what you and your employees post to social media and company websites, especially job duties/descriptions, personally identifiable information (e.g. email address, phone number, etc.), and hierarchical information.
  13. Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when previous official correspondence has been on a company email, the request could be fraudulent.
  14. Avoid using paper checks and instead consider using Automated Cleaning House (ACH) or other electronic payment methods whenever possible.
  15. If applicable, consider accepting electronic deposits or using remote deposit capture, safeguarding remotely deposited items, and shredding them once clear.
  16. If something feels off about an email, text message, or phone call, it probably is. When in doubt, get a second opinion.
  17. Act quickly in the event of an incident and promptly report it to the appropriate person or team in your organization.

Remain vigilant to safeguard your organization

Cybercrime continually evolves as organizations implement new preventative and protective measures. Losses from business email compromise, phishing, and other cyberattacks are not always recovered, which could have devastating effects on your business. Building strong cybersecurity defenses and developing a security culture can help you and your employees remain vigilant against ongoing threats. Contact your relationship manager for more information about protecting your organization against cybersecurity threats.

Related Content

FBI Internet Crime Complaint Center (IC3). 2022. “Federal Bureau of Investigation Internet Crime Report 2022.” Accessed April 6, 2023.  

§ Ibid.


FBI Internet Crime Complaint Center (IC3). 2021. “Federal Bureau of Investigation Internet Crime Report 2021.” Accessed April 6, 2023.  

FBI. 2021. “Rise in Use of Cryptocurrency in Business Email Compromise Schemes.” Accessed April 6, 2023.

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Lending and leasing products and services, as well as certain other banking products and services, may require credit application approval.

Third-party product, service and business names are trademarks/service marks of their respective owners.