Watch for These Business Email Compromise Scams (or We Can Do It for You)

May 14, 2021
Top view.Hooded Hacker Breaks into Government Data. Professional shot in 4K resolution. 020. You can use it e.g. in your commercial video, medical, business, presentation, broadcast

The world is in the midst of a cybercrime boom – overall, about 80% of firms experienced an increase in cyberattacks in 2020. The US Federal Bureau of Investigation (FBI) IC3 Internet Crime Report that released just a short time ago gave some sense of the scale of the problem. The star of the show is the record 69% increase in reported cybercrime in 2020, a massive jump that confirms the extraordinary cybercrime risks that every company has to contend with. That means that everyone should be concerned about improving their defenses against phishing in such a volatile risk landscape. 

Phishing-related scams ruled the roost. Business email compromise (BEC) schemes continued to be the costliest cybercrime reported to IC3 consisting of 19,369 complaints with an adjusted loss of approximately $1.8 billion. Generic phishing slotted in at number two from 241,342 complaints, with adjusted losses of over $54 million. The number of ransomware incidents reported to the FBI also continues to climb, with 2,474 incidents reported in 2020. IC3 was careful to note that it doesn’t receive reports of all scams in a given year. 

The report also draws attention to one prominent new BEC scam. IC3 noted the rise of cryptocurrency-enabled BEC scams, adding new danger to an old problem. In this scenario, identity theft is used to commit fraud and access cash as usual, but the stolen funds are immediately converted to cryptocurrency, making them much harder to find. In more personal variations on this scheme that can sometimes target executives, initial victims were enticed into providing a form of ID to a bad actor that was then used to establish a bank account to receive stolen BEC funds and then transferred to a cryptocurrency account. 


What’s next in phishing? Find out in the 2021 State of Email Security Report! GET IT NOW>>


Business email compromise risk is high and will keep growing. As we reported in The State of Email Security, this type of flexible and devastating attack rose 14% in 2020, with a whopping 65% of organizations facing down a BEC threat. A flood of information about businesses gleaned in data breaches reached the dark web last year, fueling future attacks. Profit will also keep driving this category forward in 2022 – bad actors enjoyed payouts in 2020 that were 30% larger than the previous year. 

Three major business email compromise scams are the most prominent. These tried-and-true scams may not sound new, but they’re still being evolved with new twists every day to ensnare the unwary, and just one mishandled email could spell disaster. 

  • CEO Fraud: Attackers will pose as a company executive with the goal of fooling employees at any level into providing highly privileged credentials, executing unauthorized wire transfers or sending out confidential tax information. These bad actors use every social engineering trick in the book. Typically CEO fraud is initiated through carefully crafted spear phishing messages.
  • Account Compromise: One of the biggest goals for this style of cyberattack is account takeover. This is one of the most devastating forms of BEC attacks and opens up a whole new vista of fraud for cybercriminals that successfully pull it off. A favorite variation involves using phishing emails to hack an executive or employee account, then using that account to request invoice payments to vendors. Interestingly, this dovetails with reports that more than 56% of organizations reported falling victim to a breach caused by their vendor. 
  • False Invoice Scams: The FBI lists false invoice scams as one of the five major types of BEC scams. They rely heavily on social engineering and take skill to conduct, but the rewards are big. Commonly, these attacks are aimed at employees in a business’s financial department. Cybercriminals will engage in all manner of spoofing to perpetrate the scheme, including skillfully altering a legitimate invoice’s bank account numbers but leaving the rest of the invoice unchanged, making it hard to spot. Some attackers then increase the payment amount or create a double payment, but there are many variations. 

Still relying on a clunky SEG? Check out this chart to see why Graphus is better! GET THE CHART>>


Guarding against BEC scams has to be a top priority for every organization, especially potentially catastrophic executive phishing. But it doesn’t have to be something that absorbs a great deal of time from security teams or other employees. You’re protected from most common BEC scams when you use Graphus as your antiphishing software solution. One reason for that is that Graphus doesn’t just compare incoming messages against a safe sender or subject list. The smart AI independently adjudicates everything about each unique incoming message, including content and attachments, and uses more than 50 points of comparison to sniff out fakes. It also doesn’t wait for technicians to feed it fresh threat data to be able to detect emerging threats. The AI never stops learning, growing and evolving your protection with your business.  

Don’t spend valuable time and energy on keeping up with the latest intelligence about BEC scams in order to remain vigilant. Let Graphus do the work for you with simple, efficient, affordable protection that keeps phishing messages out of employee inboxes and BEC scams out of your business. Talk to our phishing experts today!  

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus