Member FDICFDIC-Insured - Backed by the full faith and credit of the U.S. Government

Protect Your Business from Fake Email Scams: A Guide to Business Email Compromise

BEC fake email banner

Avoid Being on the Receiving End of a BEC Fake Email Attack

Business email compromise (BEC) attacks are on the rise, and it’s costing businesses billions. Among the various types of online scams, this type of attack has gotten so popular that experts estimate that between 2019 and 2021, BEC attacks increased 65%, costing businesses more than $43 billion. 

What exactly is a BEC attack?

A BEC attack is a highly sophisticated form of phishing, sending fake but legitimate-looking emails to trick an employee into complying with an “official” request for money or sensitive information. In practice, the email looks authentic, coming from a company official or vendor making an apparently legitimate request for money to be wired or deposited into a checking account controlled by the scammer. It may even contain a fake link to a news site or a blog post.

Scams include: 

  • False invoices appearing to come from a vendor requesting payment, 
  • Money requests from an authority figure within the company, 
  • Information requests from a legal representative, or 
  • Inquiries about employees through human resources. 

Scammers target lower-level employees who are more likely to comply with requests from authority figures.

How to prevent BEC attacks

The best defense against BEC attacks is awareness and training. Employees should be well-educated on protocols for verifying email requests for money or information and how to spot fake emails. Here are several additional steps a business can take to prevent BEC attacks:

  • Verify the sender’s email. Look for slight variations in an email address from a legitimate sender, such as changing the company address from rstone@xyz-company to rstone@ xyz_company. 
  • Don’t hit “reply”. Start a protocol to stop hitting “reply” and using “forward” to respond to emails. That requires employees to manually type in the intended email address. 
  • Verify requests. Another standard protocol should be to confirm face-to-face, or by phone, any email requests for wire transfer or confidential information. Never use the phone number in an email to confirm. Instead, look up the number from the business that the email purportedly came from.

Don’t make the mistake of believing you’re not a target. If your business has been targeted with a BEC attack, contact your financial institution and information technology staff. File a complaint at

Alpine Bank’s online protection measures ensure your information is safe. Read about the security measures we employ today.

About This Author


Ross Bentzler

Ross Bentzler is Executive VP and Information Security Officer for Alpine Bank. Ross has worked in the information technology field for two decades, focusing on information security for 13 years.

More about Ross Bentzler

Allpoint It’s your money after all. Find a surcharge-free ATM