Business Email Compromise (BEC)

Also known as CEO fraud or "business executive" scam, the BEC scam relies on spear-phishing which is a highly targeted tactic that criminals use to gain knowledge of and steal from a business and/or its employees. By leveraging existing business relationships between the person receiving the email and the person sending it, the criminal, pretending to be the trusted sender, will use various means to convince the recipient to send money or share financial information. BEC is one of the most financially damaging online crimes.

According to recent cybercrime statistics, BEC has stolen more than $26 billion dollars from unsuspecting victims worldwide, including Canadian businesses^{Footnote *}. Spear-phishing, which includes BEC, continues to be one of the top reported scams out of about 40 fraud types recorded by the Canadian Anti-Fraud Centre (CAFC). In 2020, the CAFC received reports of almost $30 million in losses to this scam and over $26 million in losses have been reported in the first half of 2021 alone. The BEC scam continues to grow and evolve, but with increased awareness, it can be prevented.

Recognize it

Although the tactics used by criminals to carry out BEC scams are increasingly sophisticated, there are warning signs to watch out for, including:

• Financial transaction requests with pressure to act quickly; demands for secrecy; not following normal procedures; involving direct contact with a senior official you are not normally in contact with.
• Spoofed^{Footnote 1} email addresses – check addresses on all emails requesting financial transactions/information, they may be slightly altered: i.e. if the real address is: abc-123@mail.ca, the spoofed address might be: abc_123@mail.ca. Hover over the sender name (header) to see the detailed email address.
• Requests for sensitive information including: directions to click on a link to get to a login page; requests to update financial account details, even if they appear to be from the bank; requests for tax-related information.
• Unexpected emails such as requests for payment from trusted suppliers that fall outside the normal payment schedule; or requests for payment of goods not actually ordered.
• Suspicious attachments and links – if an attachment or link was not requested/expected, has an odd file name, is an uncommon type of file, or is not from a trusted source, do not open it.

Several types of BEC schemes have been observed in Canada, including:

• Scheme #1: Involves a spoofed or compromised^{Footnote 2} e-mail account belonging to an existing employee. The criminal, posing as the employee, emails the payroll department with a request to change the employee's direct deposit information. This tricks the company into depositing the employee's paycheque into a fraudulent account.
• Scheme #2: Involves businesses that have well established relationships with suppliers, wholesalers or contractors. The criminal, using a spoofed or compromised e-mail account of the supplier, informs the business of a change in payment details. The email includes new banking information with instructions to send future payments to the "new" account which is actually fraudulent.
• Scheme #3: Targets the financial industry with criminals posing as clients of banks, investment brokers and financial dealers. Using a spoofed or compromised e-mail account belonging to an actual client, the criminal directs the business to make an urgent transfer of funds, usually to a foreign account.
• Other schemes include: Criminals posing as top executives requesting that gift cards be purchased and sent for work related purposes such as employee rewards; or requesting tax information for employees which the criminals will later use for other fraudulent activity. There are additional variations of BEC, with new schemes being developed regularly.

Reject it

How can I protect my business?

• Focus on education and prevention by training employees on good security practices, keep current on frauds targeting businesses.
• Never open e-mails, click on attachments or links from an unknown address as they may contain malware used to compromise accounts.
• Create intrusion detection rules that flag e-mails with extensions that are similar to the company e-mail and register all internet domains that are slightly different than the actual company domain^{Footnote 3}.
• Use a two-step verification process for payment requests. Contact the source through another means of communication (e.g. by phone) to confirm the request is legitimate. Do not rely on e-mail alone.
• Use a dual-signature system with dual-authentication (the use of a security token), requiring at least two different authorized signatures for wire transfers.
• Limit amount of information shared publicly and show caution with use of social media. Fraudsters will use these sources to conduct research.
• Ensure all software, including anti-virus software, is up to date on all computers, servers and mobile devices.
• Create a whitelist of trusted e-mail addresses. E-mail from unknown addresses will be blocked or flagged. This minimizes the risk of phishing/spoofed e-mails getting through.

Report it

How should my business respond?

Whether funds were transferred or not – BEC is a criminal act – always:

• Report the incident to your IT personnel, they will provide guidance on how to handle the email.
• File a complaint with to the local police. Identify the incident as "BEC" or wire fraud. Be prepared to share all available details of the incident.
• Report the incident to the Canadian Anti-Fraud Centre (CAFC) online 24/7 at the Canadian Anti-Fraud Centre.
• Contact contact@cyber.gc.ca. The Cyber Centre will assist in mitigation and prevention, especially in cases where a technical compromise may have occurred.

If funds were transferred – immediately report the incident to your financial institution. Share the following information:

• the amount
• the account destination
• other pertinent details from the request
• ask about recalling the transfer
• be sure they contact the recipient financial institution

We strongly suggest that you report the incident for the following reasons:

Regardless if funds were or were not transferred a criminal act has occurred. Please remember that every report counts and is a valuable tool for investigators.

If the scam is not reported, there is no record of the incident; therefore, the scale and scope of this fraudulent activity cannot be understood or investigated.

Do not be afraid or embarrassed to report the incident. Perpetrators are using more sophisticated techniques that can deceive even the most informed businesses.

Additional information on BEC, phishing and other cybercrimes

• Canadian Centre for Cyber Security
• Get Cyber Safe
• Canadian Anti-Fraud Centre

Date modified:

2021-10-15