top of page

Payment scams via e-mail are growing fast

The type of attacks is called Business Email Compromise (BEC), but should be probably called email payment scam. These attacks are considered a type of phishing attack, although they don't necessarily involve credential theft.

While the ransomware business model relies on deploying complex malicious code to encrypt or steal data, BEC is based on traditional social engineering techniques: impersonate colleagues or business partners to solicit victims to perform transfer of funds to fraudulent bank accounts.

BEC message
Typical BEC message. Source: Microsoft

FBI says the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021.

In 2021 FBI's Internet Crime Reporting Center IC3 received victim complaints regarding 19,954 BEC incidents, with a total exposed dollar loss of USD 2,4 billion.


IC3 data for 2021 also suggests BEC incidents are far more frequent than ransomware attacks, and the financial losses appear to be much larger than what is reported for other attacks, including ransomware. Of course, the losses following a ransomware attack are not always apparent immediately, and businesses probably do not report estimates of lost business, time and wages, as well as recovery costs.


Nevertheless, BEC is a serious problem: a recent survey by Osterman, a consultancy, suggests these attacks are far more frequent, with four out of five organizations reporting they were targeted by at least one BEC attack in 2021. For smaller businesses, that number rose to 9 out of 10.


BEC attacks are more difficult to spot with traditional email filtering or anti-phishing protection. That means continuous security awareness training (SAT) is again a key ingredient to mitigate risks. SAT initiatives have to be:

  1. Pervasive - including all employees, not just a subset.

  2. Continuous, meaning updated regularly and especially including newly hired employees

  3. Non-intrusive, i.e. not standing in the way of employee's daily productivity, short and effective

  4. Automated, i.e. provide tools for tracking progress: reporting phishing attempts and deploy phishing simulations to gain visibility into how vulnerable a business is.

Unfortunately, SAT initiatives are still quite rare, often done manually and in a DIY fashion, without tracking progress. Time to modernize that, as BEC will only grow.

Latest news

bottom of page