Business Email Compromise (BEC), also known as “CEO fraud” or “supplier swindle,” is a sophisticated scam targeting companies rather than individuals – though ultimately it is people within companies who get duped. In a BEC scam, fraudsters impersonate a trusted party via email to trick an organization into sending a large payment to the wrong account. There are a few common scenarios: one is pretending to be a high-ranking executive (CEO, CFO) emailing a subordinate in finance, urgently instructing them to wire money to a certain account (often under the guise of a confidential deal or emergency). Another scenario is spoofing a supplier or business partner: the scammer hacks or mimics a vendor’s email and sends an invoice or payment instructions to the victim company, who then unwittingly pays the fraudster instead of the real supplier. Unlike many scams that cast a wide net, BEC scams are often highly targeted and researched – criminals might spend weeks learning about a company’s employees, vendors, and payment processes to craft a believable con.
How it Works: The key to BEC is deception and timing. Scammers might register look-alike domains (e.g., if your partner is Acme Corp with domain acme.com, the scammer might use acme-co.com or a misspelled version) or compromise an actual email account through phishing. They often strike when the real person they’re impersonating is out of office or when a big transaction is expected. For example, a company’s accountant may receive an email that appears to come from their CEO: “We need to finalize a wire transfer today for a secret acquisition. Please send $200,000 to this account immediately. I’m in a meeting, no calls – just get it done.” The pressure and authority in the message can override the employee’s caution. By the time anyone realizes the CEO never sent that email, the money has been wired to a bank account controlled by the scammer (usually overseas) and quickly withdrawn or laundered away.
Impact: BEC scams have been wildly successful financially – in fact, by many reports, BEC is the single largest source of cybercrime losses worldwide in the past few years. The FBI began tracking BEC around 2013, and by 2017 they had recorded over $3 billion in losses just from reported cases in those four years. Since then, that number has ballooned (estimates exceed $10 billion globally over the last decade). High-profile victims include huge companies: for instance, between 2013 and 2015, Facebook and Google were conned out of over $100 million via BEC. In that case, a Lithuanian man simply sent fake invoices and emails impersonating a large Asian hardware supplier, and the tech giants dutifully paid – $23 million from Google and about $99 million from Facebook. (They eventually recovered some of it when the scam was exposed.) Other cases involve real estate escrow funds, law firm trust accounts, even town governments being tricked into wiring money. Individual transfers often range from tens of thousands up to millions of dollars. Unlike many scams on this list, BEC typically doesn’t involve large numbers of victims losing a little each; it’s usually a smaller number of big victims losing a lot in one go. For the companies hit, the fallout includes financial loss, reputational damage, and sometimes lawsuits or insurance claims. In some tragic instances, employees who fell for BEC scams have lost their jobs or faced severe stress. There have even been reports of suicide in at least one case where an employee felt responsible for a massive loss.
Legal Consequences: Law enforcement agencies worldwide have made BEC a top priority, since it often involves organized criminal networks. The perpetrator in the Google/Facebook scam, Evaldas Rimasauskas, was tracked down and arrested in Europe, extradited to the U.S., and in 2019 pleaded guilty to fraud – he was sentenced to 5 years in prison and ordered to forfeit $49.7 million. In another example, Nigerian authorities and the FBI collaborated to arrest a notorious BEC scammer named Obinwanne Okeke (“Invictus Obi”), who was sentenced in the U.S. in 2021 to 10 years for stealing approximately $11 million via BEC schemes. Larger crackdowns have also occurred: the 2019 case mentioned earlier with 80 individuals indicted in Los Angeles included BEC schemes among other frauds. Furthermore, Interpol and Europol have coordinated periodic global stings (like Operation “WireWire” and “Rewire”) resulting in dozens of arrests of BEC crews in various countries. While many BEC actors remain elusive – especially those based in nations where cybercrime enforcement is weaker – the heat is on. There’s also an increased emphasis on banking protocols to freeze suspicious wires quickly and recover funds when possible. Some of the stolen money has been clawed back by quick intervention, but prevention is far preferable since once the money’s gone, recovery is never guaranteed.
