Email is one of the most used forms of communications in business — making it an easy target for scammers.

Business email compromise is a type of phishing attack that targets organizations attempting to steal money or important information. The FBI describes it as one of the “most financially damaging” online crimes.

Because of the type of information scammers are looking for — financial and personal — the most likely targets of business email compromise, or BEC, include:

  • Executives and leaders
  • Finance employees
  • Human Resource managers
  • New or entry-level employees

More than 15,000 business email compromise attempts were reported last year, according to Microsoft.

Scammers tend to do extensive research on how to fake identities. For example, emails from your “boss” requesting you purchase gift cards for them are likely to be an attempt at business email compromise. Some thieves even go above and beyond, creating fake web sites or registering a similarly named company.

Some other examples of how scammers can target you include:

  • Data theft: a scammer targets the Human Resource department to gain information like someone’s schedule or phone number. Once they get their hands on this information it is easier to carry out the other forms of BEC.
  • CEO fraud: Someone has hacked or spoofed a CEO’s account and will try to email employees instructions to make a purchase or send money through different means.
  • Account compromise: geared towards a person working in finance, like Accounts Receivable Manager. They hack into the account and get vendor information to attempt to get that company to send money into a fraudulent account.
  • False invoice scheme: scammers will pretend to be a vendor that you work with. They will send out fake bills with account numbers that almost match, maybe one or two numbers off, or try to redirect you to sending money towards another account.

Business email compromise can be dangerous if it is successful. Your organization may lose large sums of money, face widespread identity theft, or even accidentally leak confidential data.

  • Use a secure email platform. UAB email, using Office 365, allows you to flag suspicious emails with one click, or you can forward the email to This email address is being protected from spambots. You need JavaScript enabled to view it..
  • Set up multifactor authentication. With DUO, no one can access your account without approval. So, if you get a DUO notification without prompting it, that should be a red flag.