What is business email compromise and how to prevent it

June 13, 2023 | 3 minute read

You don’t have to work in the finance department of a big company to be the target of business email scams. Business Email Compromise (BEC) is the term for financial cyber events in which the targeted individual is contacted through their work email. The cyber criminal uses a hacked or fake account that looks legitimate in an effort to trick the target into sending funds.


How to protect yourself

Be proactive

  • You are your company’s first line of defense. Know your company’s cyber security plan and how to respond to any suspicious emails.
  • Require multiple users to initiate and approve transactions. If an email looks strange, look up the sender and email or call them (don’t use the number they provide).
  • Never trust unknown individuals. Verify everything they claim and do not send sensitive information to anyone whose identity you can’t confirm.
  • Invest in antivirus software and other cyber security software that can flag suspicious emails and websites.
  • Don’t call any numbers, click on links provided or download attachments from senders until you verify their identity.
  • Escalate if you are at all unsure. Take the time to discuss your suspicions with your manager or a colleague.


If you suspect you’ve been targeted

  • Don’t delay. Acting quickly after an event can minimize damage to your business.
  • Contact your bank’s servicing desk or support staff to report a fraudulent transaction as soon as you can.
  • Know and follow your local laws and guidelines for cyber incidents.
  • Document everything about the event. The more information you have, the better prepared you will be to assist an investigation, and the better prepared you will be against future cyber crime attempts.


Why it’s important

Cyber criminals do not discriminate, with targets ranging from wealthy individuals and families to employees at small businesses, nonprofits, school systems and churches.


A common threat method is called phishing, where seemingly legitimate messages are sent via email or messaging platforms to gain access to systems or data or to install malware (malicious software). This often involves the targeted individual entering sensitive data or clicking on malicious links.


There are different types of phishing:


  • Vishing: a cyber criminal impersonates a trusted source or utilizes tactics such as robocalls, to scam people out of data and money over the phone.
  • Smishing: utilizes SMS and messaging apps to scam people out of data and money.
  • Spear phishing: a highly targeted phishing campaign designed for specific individuals.
  • Spoofing: disguises communications in order to appear to be from someone else, including legitimate businesses or employees. Cyber criminals can spoof emails, phones numbers and websites.


Be alert, business email scams can appear to come from anyone, including:


  • A supplier. Arrives from a hacked email address to notify you of a bank account change or to request payment.
  • An attorney. Often arrives during a transaction such as a home purchase, with directions to send an expected payment, like a down payment.
  • A familiar address. Appears to come from someone you know and asks for confidential information, like payroll records.


The Global Information Security (GIS) team at Bank of America is made up of information security professionals staffing multiple security operations centers across the globe who work 24/7 to keep data and information safe.

Important Disclosures and Information

Neither Bank of America nor its affiliates provide information security or information technology (IT) consulting services. This material is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this material, and without warranty of any kind, express or implied, including, but not limited to warranties of performance, quality and fitness for a particular purpose. This material should be regarded as general information on information security and IT considerations and is not intended to provide specific information security or IT advice nor is it any substitute for your own independent investigations. If you have questions regarding your particular IT system or information security concerns, please contact your IT or information security advisor.

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.


Not all materials on the Center for Business Empowerment will be available in Spanish.


Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.


Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.


Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.


Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.


“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.


Investment products: