NEED TO KNOW NEWSLETTER       NOVEMBER 2025

Be Aware of BEC!

Everyone knows about phishing attacks. “Click on this message to download important documents right now!” But a specific type of phishing attack targets businesses or organizations through email, and the goal is to drain your resources. This is called a Business Email Compromise, or BEC.
In this month’s newsletter, we’re pulling back the curtain and showing you the truth about BEC attacks.

All BEC is phishing, but not all phishing is BEC.

Phishing is when an attacker uses fraudulent communications to trick someone into revealing sensitive information. A phishing attack is considered BEC if it specifically uses email to target a business or organization and steal money or data.

Hackers impersonate professional contacts, such as vendors who work with the organization.

The key to a BEC scam is sending a message that their target believes to be ordinary business. For example, impersonating a vendor and telling your organization that the vendor’s payment information has changed. Now your company is paying fake invoices directly to the scammer’s account.

Executives and members of the finance department are the top targets.

BEC scammers want to subvert the people who control the organization or its money. If they can convince an executive to hand over critical data or talk the CFO into authorizing phony payments, then it’s payday for hackers.

Email accounts can be impersonated or taken over.

To run a BEC scam, hackers may make a near-identical email (john,smith@example instead of john.smith@example) or take over an existing account via malware or credential theft.

Recent BEC scams

• Lexington, KY. lost $4 Million after finance staff followed fraudulent payment instructions. The issue was discovered when the real recipient reported missing funds. Partial recovery was possible. The city has since tightened their verification protocols.
• Madison County, MS. lost $2.7 Million to a vendor impersonation scam. Weak verification controls were exploited. The county is now enhancing employee training and security protocols.
• Petersborough, NH. lost $2.3M after scammers spoofed a contractor via email. Funds meant for public projects were diverted and remain unrecovered. Verification gaps were exploited.
• Cabarrus, NC. lost $1.7M fraudsters posed as a vendor and sent altered invoices via compromised emails. Most of the funds were unrecoverable.

Don't let BEC Break your security

• Verify any unusual requests.
  • Why is payment data suddenly changing?
  • Is this person who they say they are?
  • Don't be afraid to ask questions.
• Are you using MFA?
  • Multi-factor authentication protects your credentials.
  • Makes it more difficult for hackers to steal your credentials for BEC scams.