← Back to Home

Category: Online & communication

Business email compromise (BEC)

Always confirm wire transfers and sensitive requests through a separate, known channel—call the real person on a number you already have—before sending anything.

How it often plays out

The CFO gets an email that looks like it’s from the CEO: “I need you to wire $50,000 to this account today—confidential deal.” The wire goes out before anyone double-checks. The CEO’s email was spoofed or hacked; the money has already landed in an account controlled by scammers, often overseas. By the time the bank is contacted, the funds are moved again. Business email compromise exploits trust and urgency; recovery is rare.

By the numbers

  • BEC is one of the costliest online crimes; the FBI reports billions in losses annually.
  • Scammers often target employees with access to finances or payroll.

How to spot it

Common red flags: pressure to act immediately, requests for payment by gift card or wire, offers that seem too good to be true, or unsolicited requests for your personal or financial details.

Do's and don'ts

Do

  • Confirm any payment or data request through a separate, known channel (e.g. call the real person) before sending anything.
  • If you already sent money or data, contact your bank and IT immediately.
  • Report to IC3 with email headers, transaction details, and recipient information.

Don't

  • Send wire transfers or sensitive data based only on an email.
  • Assume an email address or display name is genuine.
  • Rush a payment because the sender says it is urgent.

Summary & what to do

BEC scams use hacked or spoofed business or personal email to trick you into sending wire transfers or sensitive data to fraudsters. Report to the FBI IC3 with full details.

What to do right now

  • Confirm any payment or data request through a separate, known channel before sending anything.
  • If you already sent money or data, contact your bank and IT immediately.
  • Report to IC3 with email headers, transaction details, and recipient information.

Where to report

Who: The FBI's IC3 is the primary place to report BEC.

When to use: Use when someone used a compromised or fake email to request funds or data.

What to prepare:

  • Email headers
  • Bank/transfer details
  • Recipient info

Go to IC3~10 min

Who: The FTC also accepts reports of business-related fraud.

When to use: Use to report the scam in addition to IC3.

What to prepare:

  • What happened
  • Amount
  • Emails

FTC ReportFraud~5 min

Frequently asked questions

We already sent a wire. What do we do?
Contact your bank immediately to try to recall or freeze the transfer. Notify your IT team to secure email and other systems. Report to the FBI IC3 with full details including email headers and transaction info.
How can we prevent BEC?
Verify any payment or data request through a separate channel (phone call to a known number). Use multi-factor authentication and train staff to spot spoofed or suspicious emails.

Learn more

Need help now?