Threat Intelligence Blog

Posted April 4, 2019

Raise your hand if you have ever received an email from an executive at your company, seemingly out of the blue. Raise your hand if that email, you swear, looked legitimate! And raise your hand if you replied to that email, only to realize, wait a second, “Why would the CEO ask me to wire transfer a vendor, completely out of protocol?”

You, my friend, have been a target of Business Email Compromise (BEC).

Also known as CEO fraud, this is a sophisticated scam targeting both businesses and individuals performing wire transfer payments. Scammers accomplish this by spoofing or compromising the legitimate business email accounts of high-ranking executives or other critical personnel like a CXO or board member. They then utilize social engineering to target specific individuals within the company – human resources (HR), finance, payroll – who can provide personally identifiable information (PII) like a W2 or who can initiate a direct deposit request (wire fund transfer).

BEC campaigns involve a lot of pre-planning and investigation by the cybercriminal and do not rely on malware or technical exploitation, instead these individuals take advantage of employee trust to succeed. Often times, these campaigns are conducted when a CEO is known to be away from the office so it’s harder for employees to confirm the request. The criminals perpetrating these attacks are often part of larger organized crime groups that employ lawyers, linguists, hackers, and social engineers. Once the system has been compromised, attackers lay in wait, studying their prey for sometimes months at a time before striking. Often, victims don’t realize they were attacked until the damage is irreversible.

You may be thinking, “This can’t possibly ever work,” when in fact, BEC losses have exceeded $12 billion USD—a 136% increase since December 2016.

Attackers use different tactics when running a BEC campaign. With Tax Day just around the corner, scammers will be looking for weak spots in your business email accounts. Here are a few different tactics to be aware of:

Wire Transfer

Unlike a rudimentary phishing email, BEC scammers often study the executives at your company through social media and email to find out who works for them, which departments they operate in, and how things are processed. 43% of BEC attacks are impersonating a CEO or company founder. Scammers study executives and key employees so they are more convincing when targeting employees to keep them from thinking twice or becoming suspicious of a request. Wire transfer fraud accounts for 46.9% of BEC attacks.

These attacks occur in higher frequency during tax season. In a scam reported to the IRS in 2016, attackers first tricked organization’s into sending W2 forms, and in a follow up email, attackers asked for a wire transfer to complete the “tax audit” they were perpetrating.

Common tactics used by scammers in wire transfer schemes:

  • An established sense of urgency
  • Email sent from a mobile device
  • Request for bank account details

Your best defense against this tactic is to ask yourself if the CEO would normally email you with an urgent financial request. The best way to identify whether or not the email is fraudulent is to pick up the phone and give them a call to verify. Most likely, it is a scam.


Another common BEC tactic, accounting for 40.1%, is deploying malware through a malicious link or PDF attachment. Usually, the links are to a fake invoice that, when clicked, possibly allows the criminal access to your enterprise systems. By gaining access to your enterprise email systems, the attacker can then study payment processes and systems to better defraud your organization in future.

You already know the best defenses against clicking a malicious link:

  • Verify the sender email address
  • Call the company to verify that there is an invoice
  • Copy the link and paste it into the browser

Though you may be armed with all the knowledge to avoid these malicious links, these emails are engineered to look as real as possible. If you have any doubts about the email in question, don’t open it at all!

Data Theft

Scammers often try to steal PII through BEC, accounting for 12.2% of attacks. When an attacker employs this tactic, they typically research the targeted organization’s HR department, then pose as a C-level executive requesting tax documents like W2s from the HR representative. Usually, the scammer will create an urgent story that involves sending all the employee W2s to the supposed executive, similar to the wire transfer method.

Data theft is one of the worst tactics to fall for because tax documents contain super sensitive PII, like Social Security Numbers, tax payer IDs, and income information—allowing criminals to steal the identity of everyone at your organization in one fell swoop. Stealing these tax documents also allows the criminal to file a fraudulent tax return and collect your employee’s return money. The best way to defend against this type of attack is to, again, be skeptical of these types of requests and always try to follow-up in-person with the email sender.

Though BEC attacks don’t target one specific industry over another, the FBI recommends several different mitigation tactics. Scams can be hard to spot; the most important thing to remember is that your organization has procedures in place for vendor payments and tax documents. Always follow your organization’s procedures and processes—even if a request seems urgent or is from an executive. During this tax season, be aware that the IRS never initiates contact with tax payers by any means—if the IRS is contacting you, it is NOT the IRS. To get in depth training on cyber safety, get a 14 day free trial of our Cyber Safety Awareness Training.

To report an IRS phishing scam, email


Additional Posts

How Ghost Army Tactics Can Help Federal Agencies Win the War on Hackers

During World War II, the 23rd Headquarters Special Troops achieved elite force status. But its ...

10 Hottest Threat Intelligence Platforms In 2019

How companies like LookingGlass, Cisco, CrowdStrike, and FireEye use threat data to protect ...