The Business Email Compromise (or BEC) scam has been around for many years and seems to be enjoying a resurgence in popularity lately.  At its essence, the BEC scam involves a scammer gaining access to an email account of someone who is part of a business transaction that involves wiring a large sum of money to a different party.  The scammer then pretends to be the recipient of the wire and asks the sender of the funds to use different wire instructions (that point to the scammer’s account).  Once the funds are sent to the new wire destination, the scammer has completed the theft and the legitimate recipient of the wire is left without the funds.

This scam is predicated on two separate failures.  The first failure is the compromise of an email account.  Wire fraud scammers usually try to gain access to the accounts of people involved in real estate, land development, construction or title transactions, as they are more likely to use wire transfers to send or receive funds.  The email account compromise may be as simple as the scammer purchasing a list of compromised accounts from the dark web.  At a more complicated level, the scammer may use general phishing (or targeted spear-phishing) attacks against organizations who work in industries likely to use wires.  Regardless of the method used to compromise the account, once compromised, the scammer will begin to surveil the back-and-forth communication, looking for an impending transfer of funds.  While this may seem like a long and tedious process, if a few months of work like this results in a payday of half a million dollars or more, it is time well spent for the scammer.  Once the scammer has identified an impending funds transfer, as well as the persons involved, he will either use a compromised account (if it’s the funds recipient’s account) or he will attempt to spoof the recipient’s email account by registering a domain (the part after the @ in an email address) nearly identical to the recipient’s address and then email the redirected wire instruction to the sender.  For example, think about replacing a lowercase “L” with a capital “i” in an email address.  If the legitimate recipient’s email address was (that’s LLC in lowercase), would you be sure that you would notice if you received an email from (that’s an uppercase “I” then a lowercase LC)?  Or maybe even just add an extra lowercase “L” to get  The fraudulent accounts are hard to spot unless you are really looking for them!  The fraudulent account is generally used to avoid leaving sent items in the recipient’s account (some organizations have email archiving always running) and to generally avoid leaving any tracks or suspicion with the legitimate recipient of the funds.

The second failure is a purely human one.  The sender of the funds gets an email from the fraudulent email account, often with an urgent or very time sensitive request to change the wire instructions, and sends the funds ASAP.  The funds then get wired to the scammer and the scam is complete.

Stopping the first failure is mainly a technical issue.  Use strong passwords, change passwords frequently and don’t allow cross use of passwords on other sites. Additionally, enforce MFA (Multi-Factor Authentication) using a text code, a code generator app or a USB security key.  Finally, monitor the I.P. addresses being used to log into your email account(s) with an eye toward overseas I.P. addresses.  A recent forensic examination of a compromised Office365 account found numerous logins originating from I.P. addresses in Nigeria and Europe. 

Stopping the second failure is a bit more difficult.  It is often said that the weakest link in any security architecture is the people.  We are distracted, gullible, we aim to please, we don’t like to disappoint, and we don’t always listen to our “gut feelings.”  As a result, and despite all technical efforts to fight the first failure (discussed above), if the human element of this scam is ignored, you will end up as a victim of the scam.  Employees, especially those responsible for funds transfers, need regular and recurring training and reminders about staying vigilant.  Further, you can bolster your fund-transfer protocols in any number of ways to make sure transaction (and changes to them) are validated.  For example, at the onset of a business relationship with a client/vendor with whom you may be sending/receiving funds transfers to/from, you can set up a protocol whereby specific persons on each end of the transfer (or change of transfer details) must speak on the phone (remember when we used to talk to people?)  and agree verbally prior to the transfer or change of details.  Alternately, an employee not related to the specific transaction at the firm sending/releasing the funds can be designated as the transfer confirmation officer, tasked with either visually reviewing the requested details or verbally confirming all outbound transfers.  Organizations can even use a challenge/verification phrase where new clients/payees are verbally provided with a challenge word and a response.  Any request for funds or changes to wire instructions requires the use of the challenge word, and in order to verify the communication the correct response word must be provided. 

Ultimately, having additional scrutiny and thought and slowing down the process of transferring funds to allow for a chance to review and confirm the authenticity of the transfer will help to prevent you from falling victim to the BEC scam.  If you have been the victim of a BEC scam, please be sure to report it to the F.B.I. at the Internet Crime Complaint Center

ABOUT Peak Forensics: Peak Forensics is a full service Computer Forensics, Electronic Discovery and Consulting firm in Phoenix, Arizona.  Peak Forensics provides experienced, professional computer forensics services, client centric electronic discovery and seasoned testimonial and trial consulting services.  Peak’s CEO and founder, Jefford Englander, has been actively participating in computer forensics and ESI investigations for 15 years and has a background in local and federal law enforcement and the civil litigation realm.  From ESI collection to forensic analysis, hosted review, reporting and expert testimony, Peak can lead you to focused information

BlogForensics and E-DiscoveryGeneral