Let's Talk

Business Email Compromise: How BEC Works

Using the age-old art of deception, criminals use a variety of methods to compromise business email accounts, such as:

  • Phishing —using deceptive emails and websites to harvest credentials, personally identifiable information, banking and credit card details
  • Social engineering — using deceptive methods that rely on human interaction and often involve tricking people into breaking normal security procedures to divulge confidential or personal information useful to perpetrate fraud
  • E-mail spoofing — sending deceptive email that appears to have originated from a trusted source.
  • Malware — malicious software that is unknowingly installed on a business’s computer system that among other things can steal sensitive information, alter or hijack a computer system, or plant ransomware.

Experts don’t know how criminals select victims, however, perpetrators often monitor and study victims before initiating a BEC scam, learning the players and protocols necessary to perform wire transfer requests within the business environment. Some victims report receiving emails requesting additional details regarding the business or individual they’re targeting, such as name, travel dates, and more.  Others report that they experience a cyber intrusion immediately before a BEC incident.

W-2 BEC fraud

A growing offshoot of this fraud is W-2 BEC fraud, in which a criminal tries to gain access to personal information (PI) about employees. Frequently, the criminal will gain access to a business executive’s email account, or create a spoofed, look-a-like email address, then send an email impersonating that executive requesting information from a key employee in human resources or payroll such as:

  • Social Security Numbers
  • Home addresses
  • Salaries

After receiving the information, the criminal files fake tax returns for refunds or sells the PI to other criminals. In 2017, more than 200 employers fell victim to this scam, and hundreds of thousands of employees’ PI was stolen.

Identifying BEC Scams

Experts at the FBI’s Internet Crime Complaint Center IC3 report these common characteristics of BEC complaints:

  • Criminals often target Chief Financial Officers — they are targets of 19 percent of BEC fraud incidents. Finance directors (7 percent), finance managers (6 percent), finance controllers (6 percent), and accountants (4 percent) make up the next most common targets.
  • Business and personnel targets often use open source email accounts, such as browser-based free email services.
  • Targets often include individuals who handle wire transfers within a business.
  • Spoofed emails very closely mimic a legitimate email request. CEOs are most often impersonated (42 percent), managing directors/directors (28 percent), and presidents (7 percent) make up the most commonly spoofed executives.
  • Criminals often target personal email accounts.
  • Fraudulent email requests for wire transfers are well-worded, specific to the business, and don’t raise suspicions about legitimacy.
  • Some victims report the commonly used phrases “code to admin expenses” or “urgent wire transfer” in some fraudulent email requests.
  • Wire transfer fund amounts are business-specific and designed to mimic normal business transactions so they don’t raise suspicions.
  • Criminals often send fraudulent emails while executives are traveling so it’s more difficult to verify information.
  • Victims report that IP addresses frequently trace back to free domain registrars.

In our next article, we’ll discuss how to protect your company from BEC fraud and what to do if you become a victim.

We live in an age when you not only have to be an expert about your business, you also need ongoing expert help to protect your finances. At First Business, clients’ security is paramount. We’ve compiled the latest security advice in our Fraud Toolkit – access it today for ideas to help keep your employees abreast of the latest fraud protections.



Access to Online Private Banking is intermittently unavailable; users may not be able to access it at this time. We are working to restore access as soon as possible. If you have questions, please contact us at: 855-257-4149.

Contact Us ›


Access to our Remote Deposit Capture system is intermittently unavailable; users may not be able to access it at this time. We are working to restore access as possible. If you have questions, please contact us at:

  1. Wisconsin Region: 608-232-5938
  2. Kansas Region: 913-717-6464


To protect clients and employees, we temporarily suspended courier service. For other deposit needs, please see your client email sent on 3/16/2020 for instructions regarding deposits at your local First Business Bank office.

To set up Mobile Banking, please contact our Treasury Management Support team at 608-232-5938. We will alert you when courier service is available again. Thank you.