Criminals often tailor their BEC scams to the organization and individuals they target by adding highly specific details based on internet research. However, most scams fall into these broad categories:
Invoice and payment scams. The criminal impersonates a vendor or customer and requests payment on an outstanding invoice or that future payments be sent to a new account. The email may contain a malicious link or attachment that can direct the recipient to a phishing site or download dangerous malware.
Urgent request from a supervisor. An employee receives an email appearing to be from their supervisor or a top executive, requesting they immediately send a gift or payment to a recipient. In some cases, the criminal may first request switching over to texting or even video conferencing before they make the request. They may then deploy AI to generate text or video feeds to make the interaction even more convincing.
Whaling. This is a campaign that targets a specific, high-level executive for financial gain, data theft, or to inflict reputational damage on the person or company. Many begin via BEC tactics.
Data requests/theft. The scammers may request personally identifiable information (PII) belonging to employees or customers, which they use to conduct subsequent financial scams that target those individuals.
Commodities requests/theft. Scammers pose as purchasing departments for established vendors, make large purchases on credit and arrange for shipment of goods that are never paid for.
Whatever the method, the criminals count on an email recipient being fooled or not noticing that there is something unusual about the origin of the email or recipient. This is the point where the social engineering — or coercion — begins.