Listen to this article:

The email scam costing businesses billions

Criminals use simple emails to trick companies into diverting payments to untraceable accounts.

In 2019, a senior account specialist working for the city government in Ocala, Florida, received an email purportedly from a construction company doing work on the city’s new airport terminal. The sender asked Ocala’s finance department to update the company’s banking information; soon after, the city received a follow-up email with an invoice for $742,000. The city made the payment to the new bank account the next day. 

But a few days later, the construction company sent an email saying it hadn’t received payment for work done. Upon closer examination, the email requesting Ocala update the company’s payment information had come from a domain name with “” plural instead of the singular “” 

The real construction company had not requested the change in banking details. The city of Ocala had become the victim of a business email compromise (BEC) scam.

Prevalent even before the pandemic, these types of phishing attacks have increased over the past two years of remote working. Also called whaling, BECs are low-tech but highly efficient, costing organizations billions of dollars each year. 

Chris Connell, managing director of Kaspersky Asia Pacific, notes that the reason why BEC scams are so dangerous is that scammers use social engineering rather than viruses or sophisticated hacking tools that are more easily detected. 

“A scammer poses as a legitimate business contact, tricking the recipient into providing sensitive information or updating financial information to divert a payment,” Connell says. “An initial contact might be unobtrusive, but [it] paves the way for bad actors to launch an attack against a higher-ranking employee of the company.” 

How it works

Often the scammers send emails to HR and payroll departments posing as employees or suppliers requesting changes to their direct deposit data. Other times, the scammer poses as HR or a payroll provider and sends an employee a fake payment portal page. The employee enters his or her login information, which the scammer uses to access the real payment site and change the employee’s banking data. 

In April 2020, the FBI warned that fraudsters would try to take advantage of the “uncertainty surrounding the Covid-19 pandemic” with business scams. Their prediction came true: The number of internet fraud complaints filed with the FBI jumped to 791,790 in 2020, an increase of 69% from the previous year, with total losses exceeding $4.1 billion. Losses from BEC and email account compromise (EAC) incidents specifically increased from $1.3 billion in 2019 to $1.8 billion in 2020. This implies that BEC tactics have become more refined, and hackers are targeting larger organizations. 

David Ng, Singapore manager of cybersecurity company Trend Micro, notes that despite being a relatively low-tech method of hacking, BEC can be trickier to detect. “Since BEC attacks do not normally use malicious attachments or URLs, they can evade traditional security solutions that only look into suspicious content and behavior,” he says. 

The FBI reported a 69% increase in internet fraud complaints in 2020.

Even the world’s biggest technology companies have fallen victim to BEC attacks. From 2013 to 2015, a scammer in Lithuania posed as a Taiwan-based hardware company that supplies equipment to Google and Facebook. By sending false invoices and contracts, the scammer managed to fraudulently bill the companies more than $120 million before being caught and prosecuted in 2017. 

Smaller companies and organizations also routinely fall victim to BEC scams, with many of the cases never reported, according to the FBI. That could be because the process of recovering the stolen money may appear daunting to many smaller companies, or because the cost of doing so seems to outweigh the loss. 

For example, in one case a scammer in Singapore convinced an employee of an organization to buy iTunes cards, according to Ng at Trend Micro. After a round of emails on the subject, in which the “manager” conveyed a sense of urgency, the employee went out and bought 20 iTunes cards worth 2,000 Singaporean dollars, then took photos of the scratch-off code on each card and sent them via email. Only later did it become clear the real manager didn’t know anything about the request.

For scammers, these smaller amounts can add up to millions of dollars, says Mike Opacity, senior director of Threat Monitoring at ADP. The company’s fraud unit helps protect both ADP and its clients from internet scammers, who have only gotten more skilled. “The people we see engaged in this kind of activity, that’s their profession,” Opacity says.

5 types of BEC scams

The FBI has classified five types of business email compromise scams:

  • Bogus invoice scheme: Attackers pretending to be foreign suppliers request payment, redirecting the funds to their own account. 
  • CEO fraud: Attackers pose as the company CEO or an executive and send an email to an employee in finance, requesting them to transfer money to the account they control.
  • Account compromise: Attackers hack an executive or employee’s email account and request invoice payments from their email contacts.
  • Attorney impersonation: Attackers posing as employees of a law firm make requests for information via email or phone, usually at the end of the business day.
  • Data theft: Attackers target employees in HR and accounting to obtain personally identifiable information or tax statements of employees that can be used for future attacks.

Emboldened scammers

The rise of remote working during the pandemic has revealed many new challenges for business security. People working from home might be using personal devices that are shared with other family members, which creates network vulnerability. And despite their best efforts to be vigilant, most people’s behavior isn’t exactly the same at home as when they’re in the office. 

“In the office, it was easy to ask somebody if they sent something. Now it’s more asynchronous,” ADP’s Opacity says. “Because of the way we’re working during the pandemic, there’s a slightly higher chance of success.”

Many scammers succeed by faking urgency, Opacity explains. They might forge an email from the CFO to HR asking for employees’ tax forms, and in a rush to appease the executive, an unwitting employee sends the report. 

“The whole concept of social engineering is to get someone with access to buy into your story and instill a sense of panic, so they don’t think twice about doing what you ask them to do,” Opacity says. 

The whole concept of social engineering is to get someone with access to buy into your story and instill a sense of panic.

Mike Opacity, ADP

As people have gotten busier and relied more on electronic communications — especially during the pandemic — they’ve become less likely to pick up the phone and verify, he adds. In an office, you might pop over to the person’s desk or dial their extension to confirm a request. That’s more difficult when working remotely.

In addition to instilling urgency, scammers often do a lot of research in the pre-attack phase to understand the target company and its leadership, says Ryan Flores, senior manager of APAC forward-looking threat research at Trend Micro. 

“In most cases, the information on the CEO and top executive are on the company websites, including email and phone number,” Flores says. “This makes it easier for attackers to impersonate them and directly target people who report to these executives.” 

BEC scammers also scan LinkedIn for CEO profiles of particularly profitable industries such as oil and gas or manufacturing to find potential targets. 

“More sophisticated BEC attackers sometimes send keyloggers into a company and learn about how it conducts business and what are the ongoing transactions so that they can insert themselves into these conversations,” Flores says. “The availability of the information and investing in the preparatory phase before the actual BEC payment email — this is what makes them successful.”


Crucial lines of defense

Companies can take precautions to protect against BECs, with employees representing a crucial line of defense. Since BEC is primarily based on social engineering, a well-established system of protocols that apply to all employees, from the CEO to the newest recruit, can help to mitigate risks. 

For example, instead of hitting “reply-to” for emails related to financial information, workers should create a new email to the email directory, or follow up with a phone call, according to Opacity. 

Employees should also be careful about what they post on social media, says Timothy Ogden, vice president of Global Fraud Prevention and Financial Crimes at ADP.    

“Sharing things on social media can tell some crook that you’re on vacation; the same is true of bank account or payroll account compromising,” Ogden says. 

How to avoid BEC scams

Trend Micro explains how to avoid falling victim to fraudulent payment requests:

  • Carefully assess the content of any email regarding payment, and pay special attention to the email address. Scammers often mimic legitimate email addresses by constructing an address that’s off by only one letter. 
  • The company’s spam filters should be tweaked to flag emails with addresses similar to the company’s email as potentially fraudulent.
  • Pay attention whether the request is consistent with the previous behavior in terms of timing, sender and recipient and the country of origin. Unusual language or a sense of undue urgency can be signs of a scam.
  • Confirm requests through an established two-factor authentication system, such as following up with a phone call or a query in a company database. 
  • Phone calls to verify a transaction should be made to previously known numbers, not the numbers indicated in the email request.

If your organization is hit by a scam, acting quickly can help mitigate the damage. For cases of fraud involving bank accounts within the U.S., the FBI can sometimes intercept payments before they’re lost. In 2020, officials with the Recovery Asset Team were able to freeze $380 million in payments to scammers. 

ADP’s security team helps clients who fall victim to BEC scams. That’s in part because the scams are so common but so complex that they can overwhelm law enforcement. 

“The criminals are often out of jurisdiction. The FBI has so many incidents, they’re probably working only on the biggest ones,” Ogden says. “We tell the client, if you contact the police, please also send them our info.”

Ultimately, after the city of Ocala fell victim to a BEC scam, government officials undertook an extensive review of their internal policies to ensure that they would not repeat the experience. The senior account specialist resigned.

But innovative BEC scammers are constantly coming up with new ways to access sensitive information. In addition to strict security processes, the most crucial tools to protect against scammers are knowledge and vigilance.

Amit Roy Choudhury

Based in Singapore, Amit Roy Choudhury is a freelance journalist specialising in technology, finance, healthcare and the environment. He also runs a Singapore-based consultancy, Writerspace, which works with companies to create original thought-provoking content. Amit also does public speaking engagements on all things related to technology and moderates panel discussions. Previously, Amit was the Technology Editor of Singapore-based publication, The Business Times, and has held several editor/editorial positions in various other media organizations in different countries.