December News Article

Business Email Compromise … another Social Engineering Scam!


Business Email Compromise (BEC) is a fast growing type of phishing scam in which cybercrooks impersonate executives or managers to trick employees into transferring money, giving confidential data or even buying gift cards. The scam relies on sophisticated techniques in spoofing (making fake emails and business documents look convincing) and spear phishing (researching someone to launch highly targeted attacks).

Social engineering is the act of tricking you into divulging information or taking action, usually through technology. The idea behind social engineering is to take advantage of a potential victim’s natural tendencies and emotional reactions.

BEC is a social engineering scam where cybercrooks look to reap large rewards by deceiving employees into purchasing something or releasing payments. They are able to do this by acquiring a company’s, university’s, or your information, such as titles, email addresses and other pertinent data. The scam is executed by creating phony email addresses of real executives and asking for sensitive information such as wire payments and w-2 tax forms.

Sometimes the bad guys send a phishing scam to try and trick you into buying gift cards. Here’s how this BEC scam works:





  • Call the person who sent the request to verify that it’s legitimate
  • It is very important to quickly alert your supervisor/trusted source if you feel you have fallen victim to a BEC attack. If funds were transferred, there may be a chance to freeze the process/recover them. Contact the Office of Security and Access Management ASAP at 330-672-5566
  • Report any suspicious emails to!
  • Avoid replying to the sender, especially if the message comes from a personal email address instead of the address – email your response to the executive or manager's ACTUAL email address
  • Be wary of changes in how the sender communicates, especially if you are asked to maintain secrecy or if there is a tone of urgency. Double check the email address of the sender to make sure it isn’t being spoofed.