Defining and Describing the Impact of Business Email Compromise

Business Email Compromise/Email Account Compromise (BEC/EAC) is a sophisticated scam that targets both businesses and individuals who perform legitimate transfer-of-funds requests. The scam is frequently carried out when a subject compromises legitimate business or personal email accounts through social engineering or computer intrusion to conduct unauthorized transfers of funds. Between June 2016, and July 2019, more than $26B in exposed dollar losses due to BEC/EAC were reported to the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3).

en flag
nl flag
fr flag
de flag
pt flag
es flag

FBI Public Service Announcement  (I-091019-PSA)

  • Total U.S. victims: 69,384
  • Total U.S. exposed dollar loss: $10,135,319,091
  • Total non-U.S. victims: 3,624
  • Total non-U.S. exposed dollar loss: $1,053,331,166

The following statistics were reported in victim complaints to the IC3 between June 2016 and July 2019:

  • Total U.S. financial recipients: 32,367
  • Total U.S. financial recipient exposed dollar loss: $3,543,308,220
  • Total non-U.S. financial recipients: 14,719
  • Total non-U.S. financial recipient exposed dollar loss: $4,843,767,489

BEC and Payroll Diversion

The IC3 has received an increased number of BEC complaints concerning the diversion of payroll funds. Complaints indicate that a company’s human resources or payroll department receives spoofed emails appearing to be from employees requesting a change to their direct deposit account. This is different from the payroll diversion scheme in which the subject gains access to an employee’s direct deposit account and alters the routing to another account. (3)

In a typical example, HR or payroll representatives received emails appearing to be from employees requesting to update their direct deposit information for the current pay period. The new direct deposit information provided to HR or payroll representatives generally leads to a pre-paid card account.

Some companies reported receiving phishing emails prior to receiving requests for changes to direct deposit accounts. In these cases, multiple employees may receive the same email that contains a spoofed log-in page for an email host. Employees enter their usernames and passwords on the spoofed log-in page, which allows the subject to gather and use employee credentials to access the employees’ personal information. This makes the direct deposit requests appear legitimate.

Payroll diversion schemes that include an intrusion event have been reported to the IC3 for several years. Only recently, however, have these schemes been directly connected to BEC actors through IC3 complaints.

A total of 1,053 complaints reporting this BEC evolution of the payroll diversion scheme were filed with the IC3 between Jan. 1, 2018, and June 30, 2019, with a total reported loss of $8,323,354. The average dollar loss reported in a complaint was $7,904. The dollar loss of direct deposit change requests increased more than 815 percent between Jan. 1, 2018, and June 30, 2019, as there was minimal reporting of this scheme in IC3 complaints prior to January 2018.

Suggestions for Protection

Employees should be educated about and alert to this scheme. Training should include preventative strategies and reactive measures in case they are victimized. Among other steps, employees should be told to:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII in response to any emails.
  • Monitor their personal financial accounts on a regular basis for irregularities, such as missing deposits.
  • Keep all software patches on and all systems updated.
  • Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
  • Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

If you discover you are the victim of a fraudulent incident, immediately contact your financial institution to request a recall of funds and your employer to report irregularities with payroll deposits.

As soon as possible, file a complaint regardless of the amount with www.ic3.gov or, for BEC/EAC victims, BEC.IC3.gov.


(1) Reference PSA 1-022118-PSA Increase in W-2 Phishing Campaigns 
(2) Exposed dollar loss includes actual and attempted loss in United States dollars 
(3) Reference PSA I-091818-PSA Cybercriminals Utilize Social Engineering Techniques to Obtain Employee Credentials to Conduct Payroll Diversion 


Read the complete alert at Business Email Compromise: The $26 Billion Scam

Additional Reading

Source: ComplexDiscovery

Have a Request?

If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.

ComplexDiscovery is an online publication that highlights cyber, data and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.

ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.

From Russia (and China) with Love? The UK National Cyber Security Centre Annual Review

According to the NCSC Annual Review, China remained a highly sophisticated...

New Federal Government Cybersecurity Incident and Vulnerability Response Playbooks

According to Matt Hartman, Deputy Executive Assistant Director for Cybersecurity, "The...

A Surge in Cybercriminality? The Annual ENISA Threat Landscape Report – 9th Edition

According to EU Agency for Cybersecurity Executive Director Juhan Lepassaar, “Given...

Considering Zero Trust? November 2021 Cyber Events Report from NATO CCDCOE

Computer security professionals love to say that there is no such...

Epiq Acquires Simplex

According to the release, the acquisition will increase the overall scale...

A Long Runway? KLDiscovery Files for Initial Public Offering

On Tuesday, November 23, 2021, KLDiscovery took a strong step toward...

Modus Secures Working Capital Facility from J.P. Morgan

According to Steven Horan, Chairman, and CEO of Modus, “Having the...

Driven and Innovative Discovery Merge

According to the announcement, Silver Oak Services Partners, a private equity...

An eDiscovery Market Size Mashup: 2021-2026 Worldwide Software and Services Overview

From market retraction in 2020 to resurgence in 2021, the worldwide...

A New Era in eDiscovery? Framing Market Growth Through the Lens of Six Eras

There are many excellent resources for considering chronological and historiographical approaches...

An eDiscovery Market Size Mashup: 2020-2025 Worldwide Software and Services Overview

While the Compound Annual Growth Rate (CAGR) for worldwide eDiscovery software...

Resetting the Baseline? eDiscovery Market Size Adjustments for 2020

An unanticipated pandemeconomic-driven retraction in eDiscovery spending during 2020 has resulted...

Five Great Reads on Cyber, Data, and Legal Discovery for November 2021

From worldwide eDiscovery market sizing and discovery intelligence to cybersecurity playbooks...

Five Great Reads on Cyber, Data, and Legal Discovery for October 2021

From artificial intelligence and predictive coding to eDiscovery business confidence and...

Five Great Reads on Cyber, Data, and Legal Discovery for September 2021

From countering ransomware to predictive coding and packaged services, the September...

Five Great Reads on Cyber, Data, and Legal Discovery for August 2021

From the interplay of digital forensics in eDiscovery to collecting online...

Alternative Reality? Winter 2022 eDiscovery Pricing Survey Results

Based on the complexity of data and legal discovery, it is...

Calm Before the Storm? Eighteen Observations on eDiscovery Business Confidence in the Fall of 2021

In the fall of 2021, 71.2% of survey respondents felt that...

Help Wanted? Issues Impacting eDiscovery Business Performance: A Fall 2021 Overview

In the fall of 2021, 27.4% of respondents viewed lack of...

Harvest Time? eDiscovery Operational Metrics in the Fall of 2021

In the fall of 2021, 67 eDiscovery Business Confidence Survey participants...