The Business Email Compromise Scam: What Is It And How To Protect Yourself From It

The Business Email Compromise Scam: What Is It And How To Protect Yourself From It

In our last article, we talked about the human factor in IT security, and how simple human error is responsible for the vast majority of IT security breaches.

A specific type of human error IT security breach is known as the business email compromise scam. This social engineering practice is responsible for a number of IT security breaches.

A 2016 statement from the FBI reported that from October 2013 to May 2016, business email compromise scams (BEC) have cost businesses more than a billion dollars in damage.

Is your company vulnerable to this type of security breach? Keep reading to find out.

What Is A Business Email Compromise Scam?

In a business email compromise scam, an attacker uses a simple social engineering trick to gain control of an email account. How does it work?

I’m going to walk you through the entire process of what a business email compromise scam can look like. To illustrate the point, we’ll talk about a fictional company, Grasshopper Industries.

One common method BEC scammers use is to purchase a domain with a slight variation to that of the company’s, create a convincing looking login page, and set up a form designed to store any information that goes into it.

I find out that the URL to login to their company intranet is So I purchase the URL (notice the missing s?), duplicate the intranet login page, and program it to save any login information inputted into the fields.

There’s my tool, all set up. Now all I need to do is get the employees of Grasshopper Industries to show up at my new scam website and try to log in using it.

There’s a simple way to do that too.

First of all, I need to find out the name of Grasshopper Industries’ IT manager. So I browse LinkedIn, and find out her name is Michelle Devereaux.

Then, I head over to a payphone (so they can’t trace the call back to me), and I call the reception desk and say:

“Hello, I’ve got some information I need to send to Michelle in IT. What’s her email address again?”

Simple. Now I know her email is

This tells me what the IT manager’s email address is, but more importantly, it tells me what the format for email addresses is – the first initial, and the first five letters of the last name.

So I’ll set up my own email address on the domain I just bought –

If you think that looks like the same email address as Michelle’s email, that’s the point.

Next, it’s just a matter of finding a company directory. Again, LinkedIn can help here. So can Facebook, Twitter, and even a general Google search. There are a number of other tools out there you can use to find the employees of a company.

So let’s say we have a list of 1500 employees of Grasshopper Industries (it’s a big company, after all). Based on the formula we have for email addresses, we’ll create a list of emails. Some of them may not work, and that’s okay – it doesn’t cost anything to send an email.

Now we’ll send out an email from our bogus email account claiming to be the real Michelle Devereaux. It may say something like this:

Dear Will,

 We’ve recently had a security breach, and your information may have been compromised.

 I talked with Frank, and he agreed that everyone will need to change their passwords.

 To do so, please go to this link – From there, input your username and your old password, and the screen will prompt you to change your old password to a new one.

 If you have any trouble, please let me know.



Now, of the 1500 emails we send out, do you think at least one of those people will fall for our little spoof?

This is just one possible angle a BEC scammer can take.

The Business Email Compromise Scam: What Is It And How To Protect Yourself From It

So Now What?

Eventually, Michelle in IT will catch on. And she’ll alert her superiors, who will then begin to take some sort of measures to mitigate the damage.

But by then, the damage may already have been done.

If the scammer got their hands on the login and password for someone in accounting, they may have access to Grasshopper Industries’ tax information, and even their banking information.

Even worse, if they managed to get hold of an account with sufficient privileges, they could set up a piece of ransomware on the company servers in order to extort money from them.

They could also browse everyone’s private emails until they found someone with an account on Ashley Madison, and blackmail them for money.

And if they were secretly sent by Grasshopper Industries’ main competitors, Cricket Cooperative, they could find out information about Grasshopper’s plans for the future and tailor their plans accordingly.

Messy stuff.

Why BEC Scams?

At the end of the day, hackers use BEC scams because they work great, and they can often get away with them without having to use malware or break through complex layers of security.

They’re also fairly cheap, and the barrier to entry is fairly low. All you need is a basic understanding of how to build a website and some outside-the-box problem solving.

They’re particularly difficult to trace where the attack comes from. There are enough anonymous web registrars out there that you can hide your information fairly effectively.

And finally, they can slip through a lot of your built-up security layers. After all, it’s just a simple email, with no attachments or anything fishy that would raise red flags.

Are You At Risk For BEC Scams?

While any company is at risk, those that wire money internationally are often considered high value targets.

This is because they can divert a wire transfer from its destination into a scam account, and because the transfer is international it may be more difficult to track where it ended up.

If you’re concerned about what to do about BEC scams, you’re not alone.

But you don’t need to face this risk alone, either.

1st Secure IT can help.

Contact 1st Secure IT today to book a consultation with one of our experienced IT security professionals. We’ll help you assess your risks and implement strategies to help you stay safe from BEC scams and other potential risks.

Contact 1st Secure IT today and keep your business safe in an uncertain world.

1st Secure IT

4613 N. University Drive #323
Coral Springs Florida
(866) 735-3369

Cyber Security Risk Management and Consulting Services | 1st Secure IT | When Compliance Is Not Enough

How To Get Your Employees To Improve Your IT Secur...
The Human Factor In IT Security

Related Posts



No comments made yet. Be the first to submit a comment
Already Registered? Login Here
Monday, 19 August 2019

If you need help getting started... Contact Us!