Business Email Compromise (BEC)

Business Email Compromise is a sophisticated scam targeting organizations that conduct wire transfers or handle invoices. Attackers either compromise legitimate email accounts or impersonate executives/suppliers to redirect payments.

Types of BEC Attacks

1. CEO Fraud - Attacker impersonates executive, requests urgent wire transfer
2. Invoice Fraud - Legitimate invoice modified with attacker's bank details
3. Account Compromise - Real email account used to send fraudulent requests
4. Vendor Impersonation - Attacker poses as supplier requesting payment changes
5. Attorney Impersonation - Fake lawyer requesting confidential/urgent payment

Immediate Actions

If Money Was Transferred

1. Contact your bank IMMEDIATELY - Request a recall of the wire transfer
2. Time is critical - Banks can sometimes recover funds within 24-72 hours
3. File police report - Required for insurance and bank cooperation
4. Contact recipient bank - Your bank should help coordinate

If Attack Was Detected Before Payment

1. Do not respond to the fraudulent email
2. Verify through known channels - Call the supposed sender using a known number (not from the email)
3. Check for account compromise - Was the email sent from a real compromised account?
4. Alert finance team - Implement additional verification procedures

Swedish Resources

Police - Report Fraud

• Online report: polisen.se/anmal
• Economic crimes: Include all evidence (emails, bank details, amounts)

Your Bank's Fraud Department

• Contact immediately for wire recall
• They can coordinate with correspondent banks
• Document all communication

International Resources

FBI IC3 (for US-related transfers)

• Report: ic3.gov
• If funds went to US banks, FBI may be able to help recover
• Report even if not US-based - helps track criminal networks

Europol

• Report: Through national police
• Coordinates cross-border fraud investigations

Action Fraud (UK)

• Website: actionfraud.police.uk
• For UK-related BEC incidents

Evidence to Preserve

• [ ] Original fraudulent email (full headers)
• [ ] Any email chain leading up to the fraud
• [ ] Invoice or payment request document
• [ ] Bank transfer confirmation/details
• [ ] Communication with the supposed sender
• [ ] Login records showing account compromise (if applicable)

How to Get Full Email Headers

Gmail: Open email → Three dots → "Show original" Outlook: Open email → File → Properties → "Internet headers" Apple Mail: View → Message → All Headers

Prevention: Financial Controls

Implement these procedures to prevent future BEC:

Payment Verification

• Dual approval for transfers above threshold
• Callback verification using known phone numbers (not from the email)
• Waiting period for new vendor bank details (24-48 hours)

Email Security

• DMARC, DKIM, SPF - Prevent email spoofing
• Email banners warning of external emails
• Similar domain alerts - Monitor for lookalike domains

Training

• Regular awareness training on BEC tactics
• Simulated phishing exercises
• Clear escalation procedures for suspicious requests

Guides & Documentation

FBI BEC Public Service Announcement

• Website: ic3.gov/Media/Y2022/PSA220504
• Statistics and prevention guidance

CISA BEC Guidance

• Website: cisa.gov/news-events/news/business-email-compromise
• Technical mitigation guidance

NCSC Email Security Guidance

• Website: ncsc.gov.uk/collection/email-security
• DMARC, SPF, DKIM implementation

Insurance

Cyber Insurance

• Many policies cover BEC losses
• Check your policy for "social engineering fraud" coverage
• Report to insurer within required timeframe
• Police report usually required

Need Help?

If your Swedish organization has been targeted by BEC:

Apply to HackAid - We can help investigate account compromise and preserve evidence.

---

Last updated: 2026-01