ITS Office of Information Security

Business Email Compromise

  1. Home
  2. Common Threats
  3. Business Email Compromise

Image of a woman with a concerned look on her face in her office while looking at her computer, with the words Business Email Compromise

What is Business Email Compromise?

Business Email Compromise (BEC), also called CEO Fraud is a sophisticated, targeted scam where attackers impersonate executives, employees, or trusted vendors via hacked or spoofed email accounts in order to deceive victims.  Many times victims are asked to authorize fraudulent wire transfers, purchase gift cards, or steal sensitive data.  

BEC or CEO Fraud relies on social engineering to trick victims into giving the attackers what they want.

  • Cyber criminals pretend to be the Chancellor or other high level administrator - they send an email to faculty and staff members to trick you into doing something you should not do.
  • Cyber criminals search the website, LinkedIn, Facebook, Instagram, etc. to learn more about Appalachian State University employees and target specific employees.
  • Targets are chosen based on the cyber criminals goals, for example money, tax information, confidential information, etc.
  • The term Spear Phishing is a custom message targeting these select people.
  • Spear Phishing is very effective because they are extremely realistic and appear to come from someone you know.
  • These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone.
  • The cyber criminal’s goal is to rush you into making a mistake.

Examples of Business Email Compromise

  • Wire Transfer: The cyber criminal researcher who works with Appalachian’s finances. An email is sent pretending to be the target's boss. The email says there is an emergency and money has to be transferred to a certain account.
  • Tax Fraud: Cyber criminals target employees in Human Resources and an email is sent from a senior executive demanding certain documents be provided immediately.
  • Attorney Impersonation: Criminals may impersonate a senior leader with an email saying an attorney will be contacting you. The criminal calls pretending to be the attorney with a tremendous sense of urgency for confidential matters

Protecting Yourself Against Business Email Compromise

  • Trust Your Instincts: If it doesn’t feel right, it may be an attack

  • Sense of Urgency: If the email creates a sense of urgency, this could be an indication that it is a BEC

  • Check the Sender Email Address: If the email is sent from a non-.@appstate.edu, it could be a BEC

When in doubt, call the person at a trusted phone number or meet them in person (don’t reply via email) to confirm if they sent the email. 

Never bypass security policies or procedures.

If you receive such a request and are not sure what to do, contact your supervisor, the Help Desk (828) 262-6266, or forward the email to the Office of Information Security at phish@appstate.edu .