Skip to Content
Security & privacy

The new twist to an old scam that you need to know about

Cybercriminals are constantly finding new ways to steal from us. Data breaches, ransomware, and phishing attacks are digital threats that we always need to be watching for.

Scammers are not only targeting individuals, they also go after businesses. In fact, cybercrimes against business are on the rise.

According to an FBI report, the worldwide numbers for Business Email Compromise (BEC) crimes have reached a devastatingly new high. A total of 40,000 worldwide BEC victims have been reported since January 2015, totaling a stunning $5 billion in losses. It’s a growing epidemic in the business sector, with a majority of the crimes perpetrated against U.S. based businesses, regardless of size.

What exactly is BEC?

The FBI describes Business Email Compromise as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

Basically, a BEC scammer attempts to trick employees into sending money transfers or handing out sensitive information, by impersonating executive email accounts. These attacks are initiated either by social engineering tricks, email spoofing or malware, targeting upper management executives, accounting and HR departments.

Now, hackers are posing as employees who have already been compromised to send emails targeting co-workers. The emails appear so legitimate it’s easy for people to get taken. BEC scams range from simple fake invoice schemes to elaborate impersonations aimed to siphon money out to the cybercriminal’s bank accounts.

Methods vary, but it only takes one compromised email in a chain to deploy an attack. Common vectors are phishing scams, where an attachment or a link gets sent via email and if opened, keylogging malware is deployed discreetly to the victim’s computer.

The cybercriminal, having access to email credentials, then cases the victim’s business patterns, studying financial contacts and correspondence, gathering vital information to finally launch the scheme.

Attacks have evolved to a point where the criminals monitor a target’s social media account to case behavioral patterns. If you know anyone with a business or works in IT, it’s important they are aware this is happening.

So how do we protect ourselves from this growing menace?

Be vigilant with email communication

Check email addresses carefully, especially those coming from executives demanding financial transactions. A missing character on the address could spell the difference between safety and compromise.

Set up two-factor authentication

Think about using two-factor authentication for fund transfers and corporate email accounts. Use known phone numbers for verification and avoid displaying these phone numbers on email correspondence.

Two-factor authentication means that to log in to your account, you need two ways to prove you are who you say you are. This adds an extra layer of security and should be used whenever a site makes it available. Click here to learn how to set up two-factor authentication.

Be careful with social media

Curate your social media feeds and avoid posting vital corporate workflow details.

Be wary of email links and attachments

Phishing attacks are extremely effective for cybercriminals, especially if they’ve already victimized someone in your organization. Make sure to scrutinize link addresses inside emails before clicking and do not open attachments from email accounts that are not trusted.

One thing to watch for with phishing attacks are typos; criminals are typically careless with spelling and grammar. If you receive an email or notification from a reputable company, it should not contain typos. Take our phishing IQ test to see if you can spot a fake email.

Use unique passwords

Many people use the same password for multiple websites. This is a bad idea. If your credentials are stolen from one site and you use the same username and/or password on others, it’s easy for the cybercriminal to get into each account. Click here to find out how to create hack-proof passwords.

Have strong security software

Regularly scan and protect your computer from malware, keyloggers and rootkits with trusted virus protection. Also, make sure that your security software is up-to-date for the best protection.

If you or your company is a BEC victim, the FBI recommends that you contact them to report the crime and file a complaint with the Internet Crime Complaint Center (

Your financial information seems to always be under attack, that’s why you need to know where it’s safe to swipe your debit card

With the recent outbreak of data breaches at retail locations and restaurants, it doesn’t feel safe to swipe your credit/debit card anywhere. This raises the question, is it time to stop using cards altogether and go back to cash? While we don’t think you should abandon plastic entirely, there are some places where using cash is better for security.

Click here to learn about these seven risky places to swipe your debit card. App background

Check out the free App!

Get the latest tech updates and breaking news on the go, straight to your phone, with the App, available in the Apple Store and Google Play Store.

Download Now