BEC Response Guide— Tips for Responding to Business Email Compromise Incidents

If you’re reading this and are in the middle of an incident, go to the first bullet now. The rest can wait.

Malware incidents suck, but if you want to know what it’s like responding to a BEC incident, triple the carnage, shake the snow globe, set it on fire and there you go, Business Email Compromise incident. While it may seem like there’s only one victim, in virtually every single incident there are multiple other parties and victims involved. Romance victims are mules, money moving from one place to another is typically laundered, and purchased merchandise or bitcoin has been re-shipped or tumbled to hide the trail.

Let’s not forget the voodoo, suicides, and murdering grandmom. I’ve sprinkled other lesser-known BEC facts for your reading entertainment. Enjoy. :)

My last count was 30 billion dollars lost over the last 5 years, but BEC (and related crimes) have reached the point of “the accurate total damages can no longer be articulated.” And that was like, two years ago.

I can’t stress this enough: BEC is bad news.

Timeliness is Key - Where to Report

  • If you’re in the middle of an incident, file a BEC report with IC3. This is how the FBI responds to incidents, and this is the fastest way to get things going. You can fill out the details here: IC3 Complaint Referral Form . If you’re in the middle of the incident, grab the bank accounts or check numbers ASAP and fill this out NOW. The sooner you fill it out, the higher your chances of success of getting the money returned. Like if this is you, stop reading now and go do that. The rest can wait.

Reporting Accounts

Sometimes you’ll have email, social media, or web accounts that the scammer used to contact you. Here’s what to do with that information.

  • Email accounts — Report these to the service provider. They’ve gotten much better at taking this stuff out over the years, and many do use this.

ATO / Account Takeover

Many BEC incidents include a compromised account. If this is you, here’s what to do.

  • Assume inbox = fully compromised. By this I mean “the scammers more than likely have a copy of every email in the account.” Actors use this information to hijack threads with other customers and clients, where they inject modified purchase orders or invoices, pretending to be you.
Image for post
Image for post
  • And SMS 2FA is better than nothing. There, I said it. (Ronnie’s thought: SIM swapping? Isn’t that more along the lines of a company not being able to protect their customers data? Why should end users be forced to suffer when the problem is upstream?)

If you have a compromised account, let the respective parties know. It’s 2020, attacks happen. Mitigate the risk now to lessen the damage tomorrow.

Processes, Processes, and Processes

Now that we made it past the “my pants are on fire” section, are there areas that can be strengthened without spending a dollar? You bet your butt there is!

  • What is your process for wiring money? Do you need phone verification, board approval, or meeting in-person? What are the limits for $50,000, $100,000, or $250,000 wires? How about a payroll change? A simple email with a W2 or picture of an ID isn’t enough, and true identity should be verified to prevent fraud. A simple phone call sounds pretty cheap when it could have prevented that $150,000 wire. (Yes these numbers are random, yes they are pretty accurate to what real numbers look like.)


There’s a dozen other things that could be implemented, however this was purely meant to be a quick-and-dirty guide on how to handle these. I have strangely “inherited” this problem, which is great because I have a habit of obsessing over things until they’re fixed. I think I heard someone complaining about ransomware, but I couldn’t hear them over the sound of the romance victim who was committed because she tried to commit suicide or the other victim who received $15,000 cash in a FedEx box from another state from another romance victim who cashed a check from a victim company, but who initially sent the check to a completely different work from home mule? (Ronnie’s Trivia: count the victims)

BEC is an absolute dumpster fire. But not just one dumpster fire, but more like 6 dumpster fires. Then take those dumpster fires and throw ninjas on top. Then add photoshopped raptors with bombs and a little more fire and have people throw gasoline on top of it…that’s BEC.

And shout out to Jim Sykora (not the Jim in the story, another Jim) for being like “Hey Ronnie, got any BEC playbooks?”

Written by

This is me. Dystopia with a smile, stomper of fraud, caller-outer of BS. Not all Nigerians are scammers. #EndFraud #BEC #OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store