Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is a sophisticated scam where criminals send emails appearing to come from trusted sources, making legitimate-seeming requests. These deceptive tactics have led to significant financial losses for individuals and organizations alike.

Common BEC Scenarios:

• Vendor Invoice Modification: A regular vendor emails an invoice with an updated mailing address.
• Executive Gift Card Request: A company’s CEO asks an assistant to purchase multiple gift cards for employee rewards and requests the serial numbers to distribute them promptly.
• Real Estate Payment Diversion: A homebuyer receives instructions from their title company to wire the down payment to a specified account.

In these real-world examples, the emails were fraudulent, resulting in victims transferring thousands—or even hundreds of thousands—of dollars to criminals.

How BEC Scams Operate:

• Email Spoofing: Scammers create email addresses that closely resemble legitimate ones (e.g., john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) to deceive recipients.
• Spear Phishing: Targeted emails appear to come from trusted senders, tricking victims into revealing confidential information. This data allows criminals to access company accounts, calendars, and other sensitive details necessary to execute BEC schemes.
• Malware Deployment: Malicious software infiltrates company networks, accessing genuine email threads about billing and invoices. Criminals use this information to time fraudulent requests, making them appear legitimate to accountants or financial officers. Malware also enables undetected access to victims’ data, including passwords and financial account information.

Protective Measures:

• Avoid Clicking on Unsolicited Links: Do not click on links or attachments in unsolicited emails or text messages asking you to update or verify account information. Instead, independently look up the company’s contact information and reach out to confirm the request’s legitimacy.
• Scrutinize Email Details: Carefully examine email addresses, URLs, and spelling in correspondence. Scammers often use slight variations to trick recipients.
• Be Cautious with Downloads: Never open email attachments from unknown senders, and be wary of attachments forwarded to you.
• Implement Multi-Factor Authentication: Enable two-factor or multi-factor authentication on all accounts that offer it, and never disable this feature.
• Verify Payment Requests: Confirm payment and purchase requests in person or by calling the requester to ensure legitimacy. Always verify any changes in account numbers or payment procedures directly with the person making the request.

In recent times, a concerning trend has emerged where scammers impersonate employees of reputable companies to offer enticing work-from-home positions. Once individuals express interest, they’re provided with online training and assigned tasks that require them to deposit their own money, often via cryptocurrency, into specific platforms. Initially, these platforms allow withdrawals, creating an illusion of legitimacy. However, as tasks progress, the required deposits increase, and eventually, victims find themselves unable to withdraw funds, resulting in significant financial losses.

Common Characteristics of These Scams:

• Scammers pose as employees of well-known companies.
• They don’t ask for professional references.
• Victims are required to deposit their own cryptocurrency or money transfers to perform work.
• Claims are made that larger deposits will result in larger commissions.
• Victims are required to check in with a “customer service” group for each set of tasks.
• Victims are required to withdraw proceeds after each round of tasks.
• Random bonuses are offered during the process, sometimes simply for registering an account.
• Victims are warned not to tell exchanges or banks about their activities.
• Various cryptocurrencies, like Bitcoin, Litecoin, Tether, or Ethereum, as well as money payments, are accepted.
• Salaries are only paid if the victim performs the work almost—if not every day.
• When a negative balance appears, victims are promised a much larger commission.
• Victims are encouraged to take out loans or ask family or friends for help to cover large negative balances.
• The issuance of tasks resulting in large negative balances is claimed to be “random,” or that customer service has no control over it.
• Victims are threatened that unless a minimum amount is deposited each day while the account is frozen, the account will never be unlocked.

Protective Measures:

• Be Skeptical of Unsolicited Job Offers: Legitimate companies typically don’t require upfront payments or personal investments for job tasks.
• Verify Company Credentials: Research the company independently and contact them through official channels to confirm the job offer’s authenticity.
• Guard Personal Information: Be cautious about sharing personal or financial details, especially if pressured.

Scammers, through various means of manipulation, convince victims to deposit more and more money into financial “investments” using cryptocurrency. In truth, these investments are fake; all victim money is under the control of—and ultimately stolen by—criminal actors, usually overseas. As a result, victims typically lose all money they invested.  

Scammers use a variety of methods to initially lure and contact victims. Here are some of the most common methods: 

• Social Media: Scammers use social media to reach out to victims directly—by messaging them—or indirectly through deceitful job advertisements or investment opportunities that can be found on all main social media platforms.
  
• Texting: Scammers text victims pretending they misdialed a number, sending a photo of themselves, or saying they work for a company that is hiring for job opportunities. 
  
• Dating Sites: Scammers create thousands of fake dating profiles on all common dating sites and match with victims to establish a romantic relationship based on trust. 

Bottom Line: If you met someone through a method described above, and that person pitched an investment opportunity that involved cryptocurrency—beware: this is likely cryptocurrency investment fraud.

In these scams, criminals pose as representatives from legitimate companies, such as financial institutions, utility companies, or cryptocurrency exchanges. They may impersonate any type of customer service or tech personnel appearing to offer support or assistance for the following: 

• computer/virus support
• virus software renewal
• banking
• online shopping websites
• utility companies
• security (including virus software renewal)
• printer
• cable and internet companies
• cryptocurrency exchanges

How Tech Support Scams Operate:

They tell you that there’s some sort of issue with your device or account. They try to reach you in a number of ways, including:

• Unsolicited phone calls or text messages claiming to be from tech support
• Internet pop-up windows telling you to call a tech support number
• Websites or online ads advertising a tech support number
• financial institutions, utility companies, or cryptocurrency exchanges

However the scammer gets your attention, they’ll inform you that they can fix the issue for you—for a fee—and that you have to act fast. Scammers may ask you to wire cash, send a gift card, or even transfer cryptocurrency as payment. Once you grant the scammer remote access to your computer or your account, they’ll steal your personal information and/or money.

How to protect yourself 

• Slow down and think. Scammers deliberately create a sense of urgency and panic within victims to convince them to act immediately.  
• Know that legitimate companies will never call you and offer tech support out of the blue. If you get a call like this, hang up.  
• Never let someone claiming to be tech support to have remote access to your computer or other device. These scammers often get a victim on the phone and send them a link to download malicious software on their computer. Once that scammer is in your computer, they have access to all of your personal information and files and can potentially drain your bank accounts, too.  
• Keep your virus scan software up to date on your computers to help eliminate pop-ups and malicious software being installed on your computer. 

Spoofing involves the deliberate falsification of communication sources—such as email addresses, sender names, phone numbers, or website URLs—to deceive recipients into believing they’re interacting with a trusted entity. This often entails minor alterations, like changing a single letter or symbol, making the fraudulent source appear legitimate

Phishing schemes frequently employ spoofing techniques to trick individuals into divulging sensitive information. For instance, you might receive an email that seems to be from a reputable company, urging you to update or verify personal details by clicking a link. This link directs you to a counterfeit website resembling the legitimate one, where any information entered is captured by cybercriminals.

Phishing has evolved into various forms:

• Vishing: Conducted via phone calls or voice messages.
• Smishing: Executed through SMS (text) messages.
• Pharming: Involves redirecting users from legitimate websites to fraudulent ones without their knowledge.

To safeguard against these threats:

• Be Skeptical of Unsolicited Requests: Legitimate organizations typically won’t ask for personal information via email or text.
• Verify the Source: Instead of clicking on provided links, independently navigate to the organization’s official website or contact them using verified phone numbers.
• Examine Communications Carefully: Look for inconsistencies in email addresses, URLs, and spelling that might indicate deception.
• Be Cautious with Downloads: Avoid opening attachments from unknown senders and be wary of unexpected attachments from known contacts.
• Implement Multi-Factor Authentication (MFA): Enhance account security by requiring multiple verification methods during login