Business Email Compromise: The Evolving Threat That's Getting More Sophisticated Every Day

Written By GABRIEL TESE

Business Email Compromise (BEC) scams have evolved far beyond the crude "Nigerian prince" emails of the past. Today's cybercriminals are sophisticated, patient, and devastatingly effective. The FBI reports that BEC scams resulted in over $2.9 billion in losses in 2023 alone, and that's just what gets reported.

But here's what most businesses don't realize: these criminals are no longer limiting themselves to traditional email attacks. They're getting creative, infiltrating trusted systems and exploiting the very referral networks we rely on for legitimate business.

The New Frontiers of BEC Attacks

While email remains the primary vector, I've witnessed firsthand how these scammers are expanding their tactics:

Website Contact Forms: Criminals are now using legitimate business contact forms to initiate relationships, appearing as potential clients or partners before transitioning to email for the actual scam.

Professional Referral Networks: Perhaps most disturbing, these criminals are infiltrating bar association referral services and other professional networks. They present themselves as legitimate businesses seeking legal services, only to pivot to BEC tactics once contact is established.

A Real-World Example: When "Legitimate" Referrals Turn Dangerous

Just recently, I received what appeared to be a routine referral through a bar association service. The initial contact seemed completely legitimate – a business inquiry that had been properly vetted through official channels. However, once I responded to establish contact, the follow-up communications immediately raised red flags.

Here's exactly how I identified and verified the threat:

Step 1: Initial Red Flag Assessment – The email came from a Gmail domain, which was suspicious but not impossible for a legitimate business inquiry.

Step 2: Company and Address Verification – I researched the company name and business address. Both appeared legitimate through standard searches.

Step 3: Reverse Image Search – I performed a reverse image search on the sender's profile photo, which showed it was indeed the CEO of the claimed company.

Step 4: Independent Contact Verification – Here's the critical step: I called the company using a phone number I found on a government-listed website, not through Google searches (criminals often create fake websites with similar names to legitimate businesses).

Step 5: The Revealing Conversation – When I spoke with a company employee, they immediately laughed and confirmed it looked like a scam. I forwarded the suspicious email to them. The employee revealed that their CEO had been victimized by identity theft about five years ago, with scammers using his name and image for BEC attacks. The CEO had actually ended up in court because victims believed he was involved in defrauding them.

I offered my services to them. Maybe they’ll hire me, maybe they won’t, but at least they know someone is using their identity to scam other businesses, and can take action. To defeat these advanced cyber-criminals, we all have to work together to share information, get educated and help our fellow hardworking people out.

Essential Protection Strategies for Your Business

Train Your Team: Ensure all employees understand BEC tactics and know to escalate suspicious communications immediately. Training is the best way to prevent losses from these types of scams.

Use Government-Listed Contact Information: Never rely solely on contact information found through Google searches. Criminals create fake websites with names similar to legitimate businesses. Always verify contact information through government databases, official registrations, or established business directories.

Implement Multi-Factor Verification/Authentication: Never process financial requests based solely on email instructions. Require verbal confirmation through independently verified phone numbers.

Establish Clear Wire Transfer Protocols: Create policies requiring multiple approvals and verification steps for any financial transactions, especially changes to existing payment instructions.

Monitor Domain Registration: Be suspicious of emails from recently registered domains, especially when conducting business transactions.

The Hidden Victims: When Identity Theft Becomes Legal Liability

This case highlights something most people don’t consider. The legitimate CEO whose identity had been stolen wasn't the intended victim of the scam, but he was a victim because his identity was used to scam others. Many times when people successfully avoid being scammed, they just delete the email, break contact, and forget. However, the better option is to notify the individual, whose identity is being used to scam others. In this recent case, this CEO had already encountered that same scenario years earlier, when he became legally entangled after defrauded victims sued him, believing he was the perpetrator. Think about that for a moment. A business owner who was himself victimized by criminals ended up in court defending against claims from people who lost money to scammers using his identity.

This illustrates a critical point: BEC scams create multiple layers of victims, and the legal system doesn't always distinguish between the criminals and those whose identities they've stolen.

Why Simply Ignoring These Scams Isn't Enough

Here's a critical point most businesses miss: victims of successful BEC scams are more likely to be targeted again. Criminals sell victim lists and copy successful techniques employed by other criminal organizations. Once you're marked as vulnerable, the attacks intensify.

At Tese Law, we don't just advise clients to ignore these attempts; we believe in taking action against the criminals behind them. When individuals and businesses fight back, they not only protect themselves but help prevent future victims.

Taking Action Against BEC Criminals

If you or your business has been targeted by BEC scams (whether successfully or not) there are legal remedies available. From asset recovery to website takedowns, and criminal referrals, victims have more options than they realize. But timing is critical, and the longer you wait, the harder it becomes to trace funds and hold perpetrators accountable.

The legal landscape is evolving to better address these sophisticated crimes, but businesses must be proactive in both protection and response.

The Bottom Line

BEC scams will continue to evolve, exploiting new technologies and trusted systems. The criminals behind these operations are sophisticated, well-funded, and patient. But they're not untouchable.

By implementing robust verification procedures, training your team, and being prepared to take legal action when targeted, businesses can not only protect themselves but help disrupt these criminal networks.

Don't wait until you're a victim to take these threats seriously. And if you've already been targeted, don't assume ignoring it is your only option. The law provides remedies for those willing to pursue them.

If your business has been targeted by BEC scams and you're interested in exploring legal options beyond simply ignoring the threat, contact Tese Law. We help businesses take action against cybercriminals.

GABRIEL TESE
Previous

The SDVOSB Certification Overhaul: Critical Changes Every Contractor Must Understand better

Next

The Rudisill Decision: You May Be Entitled to Additional GI Bill Benefits