Knowledge Centre

Business email compromise (BEC) is a form of cybercrime that involves impersonating a legitimate sender, such as a boss, a colleague, a vendor, or a customer, and sending an email that requests a payment, a transfer of funds, or a change of account details. The email may look authentic and convincing, but it is a scam that aims to trick the recipient into fulfilling the fraudulent request.

Recognize BEC:
BEC scams rely on social engineering, which is the manipulation of human psychology to influence behaviour. The attackers may research their targets and use information from social media, websites, or previous email correspondence to craft a believable email. They may also spoof the email address or domain name of the sender or compromise the actual email account of the sender through phishing or malware. The email may contain a sense of urgency, pressure, or authority to persuade the recipient to act quickly and without verification. The email may ask for a wire transfer, a gift card purchase, a payroll change, or a tax form, among other things.

Examples of BEC’s:

  • CEO Fraud – Attackers pose as the CEO or any Senior Executive and send an email to employees, requesting them to transfer money to an account they control.
  • Data Theft – Employees in Human Resources are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. This data can be used for future attacks.
  • Fake Invoice Scheme – Companies using vendors are often targeted with this tactic, where attackers pretend to be the vendor requesting fund transfers for payments to a “new” account that is owned by fraudsters.
  • Change Payment Instructions – In this attack fraudsters attempt to change the destination of payments coming into or leaving a customer's account. For example, they may attempt to change the account number of a pending money transfer to be deposited in an account the attackers can access.
  • Account Compromise – An executive or employee’s email account is compromised and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
  • Attorney Impersonation – Attackers pretend to be a lawyer or someone from a law firm supposedly in charge of crucial and confidential matters and request sensitive data.
  • Customer Account Compromised – A customer’s email account is compromised and is used to communicate with bank staff for the purpose of accessing funds or conducting other forms of fraud.

Red flags to watch out for:

  • Minor changes in the email address or domain name.
  • Differences in the invoice, letterhead, fax, or email template.
  • Unfamiliar supplier or vendor.
  • Altered beneficiary and transaction information.
  • Poor grammar or spelling.

Reject BEC:
BEC scams can be hard to detect, but there are some steps you can take to protect yourself and your organization from falling for this scam. Helpful tips include:

  • Have payments approved by more than one person and regularly verify and reconcile transactions logs and payment reports.
  • Be wary of any email that requests a payment, a transfer, or a change of account details, especially if it is unexpected, urgent, or unusual.
  • Verify the identity and authenticity of the sender by calling them on a known phone number, or by sending a separate email to their official address.
  • Do not click on any links or attachments in the email, as they may contain malware or lead to phishing websites.
  • Use strong passwords and enable multi-factor authentication for your email accounts and change them regularly.
  • Educate yourself and your staff on how to recognize and report BEC scams and implement policies and procedures for verifying and approving any financial transactions or changes.
  • Remember, Scotiabank will never ask for personal or financial information like account numbers, PINs, one-time passcodes or passwords through email or text message.

Report BEC:

Contact Scotiabank immediately: Don’t wait until the next business day.

  • Call us right away at 1 (800) 265-5613.
  • The sooner we know, the more effective we can be in helping you reduce the damage.
  • Forward suspicious emails that appear to be from Scotiabank to phishing@scotiabank.com.

Contact the authorities: Contact your local police and the Canadian Anti-Fraud Centre to report the crime.