Tips to avoid business email compromise (BEC)

What is BEC?

Scammers pose as known contacts like vendors or business partners via email, or take over real email accounts, to trick you into sending money or sensitive information.

Common red flags

Requests with a high sense of urgency

Payment detail changes for high–risk transactions

Requests asking for confidentiality

Tips to avoid BEC

If you get a request for payment or sensitive information, always double–check it through a separate, trusted channel. For example, if the request comes by email, call the sender using a known, verified phone number before taking action. This helps confirm the request is legitimate and not someone impersonating a trusted contact.

Pro tip: Don’t use a phone number or email included in a message to verify a request. Only use contact information you already know and trust.

A common scam uses fake vendor emails claiming payment details have changed to trick you into sending money to the scammer’s account. Always verify new or updated payment instructions directly with the vendor before taking action.

Scammers may pretend to be employees and ask to change direct deposit or other payroll details. Always confirm these requests by reaching out to the employee directly using a known, trusted phone number before making any changes.

Provide frequent training to employees reminding them not to click suspicious links, download unknown files, or respond to pop–ups asking for information. Direct them to the Avoid common threats and scams or Security best practices for individuals pages for more info.

Pro tip: Reinforce that leaders within your organization won’t send urgent requests for payments or financial actions. Scammers often create a sense of urgency to push people to act fast.

Don’t give out your password, PIN, or sensitive information.

If you receive an email, phone call, or text message claiming to be from your financial institution and asking for this type of information, it is likely a “phishing” attempt. Report the activity to your financial institution immediately.

Ensure all accounts connected to business operations are protected with MFA to prevent unauthorized access. This includes email, social media, and website accounts.

Use a two-person approval process for online payment actions (ACH, wires, instant payments, foreign exchange), particularly for key vendors and large or high-risk transactions. This process should also apply when adding new payment details or making changes to existing payment instructions. Ensure approval procedures are documented, consistently followed, and regularly tested for effectiveness.

Adopt deepfake detection tools for executive communications and financial approvals, and provide training to staff to help them recognize synthetic voice or video cues. For more info, visit Tips to avoid AI scams.

Pro tip: Consider setting up a pre-agreed verbal code word or phrase with any business contacts within or outside your organization that you work with to process financial or other high-risk requests. A verbal code word can help you verify who you are speaking to before you initiate critical actions.

Scammers will take publicly available information, such as leadership names, job roles, and vendor details, to make their scams more targeted and convincing.

Pro tip: Avoid posting information about internal projects, travel plans, office locations, or work routines. For added security, limit your profile visibility only to trusted connections.

What are the risks?

Reputational risk

An incident can signal weak security and harm an organization’s reputation.

Financial loss

BEC incidents can lead to direct monetary loss through fraud or unauthorized payments.

Business operation disruptions

Incident recovery can consume an organization’s time and resources, disrupting normal operations.

Data loss

BEC can expose sensitive business or employee data.

Legal and regulatory risk

Data lost via BEC could lead to legal and regulatory obligations or enforcement.

Escalation

BEC can give bad actors initial access to an organization’s network, leading to further attacks.

DT1-05152027-12-8959736-1.1