Blog

BEC Scam Explained: How Scammers Can Get Your Info and What To Do About It

Written by

Ashley Ferraro, Marketing

Reviewed by

May 23, 2025

•

Min Read

Protect Your Payments

As payment scams are becoming more sophisticated, targeted, and costly, cases of business email compromise (BEC) scams are surging.

According to the FBI’s Internet Crime Complaint Center (IC3), there were 21,489 complaints of BEC scams in 2023, resulting in over $2.9 billion in losses^[1]. What’s particularly alarming is that these scams don’t rely on malware or technical vulnerabilities—instead, they exploit your trust.

To help you avoid becoming a victim, this guide will explain what a BEC scam is, how it works, and how to recognize the red flags before it’s too late. We’ll walk you through real-world examples, the different types of BEC attacks, and ways to protect yourself.

We’ll also explore how virtual cards can add an extra layer of security by keeping your real payment details out of reach from scammers.

What Is a BEC Scam?

A BEC scam is a form of email fraud where cybercriminals spoof a legitimate business email and pose as a trusted colleague or executive of the organization to trick its employees or clients into sending money or sharing sensitive information.

A close-up photo showing a person sitting at a wooden desk and holding a document with the word “scam” written on it — *Source:* *Leeloo The First*

What sets BEC scams apart from other payment scams is their personalization. These messages are tailored to mimic real communication, often referencing legitimate transactions, familiar names, or recent events.

Real-World Examples of BEC Scams

To understand how BEC scams affect consumers, let’s look at a few real examples that have occurred in recent years:

Microsoft BEC scam—Between October 2022 and July 2023, cybercriminals used a tool called the W3LL phishing kit to target over 56,000 Microsoft 365 business accounts^[2]. Victims received convincing emails that led to fake login pages, allowing attackers to steal credentials and even bypass multi-factor authentication (MFA).
The gift-card scheme—Not all BEC scams involve wire transfers; some target victims through gift card requests. In one case, attackers impersonated company executives using lookalike email addresses and asked employees to urgently buy gift cards^[3] for “client events.” Believing the requests were real, several organizations lost thousands of dollars to the scam.
The homebuyer’s nightmare—A California couple was ready to close on a new home when they received an email with wire instructions from “their escrow company^[4].” The message looked legitimate, referencing the correct names and addresses and describing a familiar process. The buyers wired their $160,000 down payment as instructed, only to discover that the email was fraudulent and their money was gone.

Common BEC Scam Types

Most types of BEC scams follow similar patterns:

Type of Scam	Description
Fake invoice scam	Attackers pose as known vendors and send fake invoices that appear legitimate. These scams often involve intercepting real invoices and changing the payment details.
CEO fraud	Scammers impersonate a high-level executive—often the CEO—and pressure employees to wire funds or buy gift cards under urgent or confidential pretenses.
Attorney impersonation	Scammers pose as lawyers to add credibility and urgency to payment or data requests. People are less likely to question legal figures, especially if the message stresses confidentiality.
Data theft	Rather than money, attackers seek sensitive personal data they can exploit, especially from HR and payroll departments.

How Does a BEC Scam Work?

A photo of a person typing on a Mac laptop keyboard while holding a payment card in one hand — *Source:* *Karolina Grabowska*

Once a scammer chooses their target, a BEC scam typically unfolds in a few calculated steps:

Preparation—The attacker gathers information about you or your contacts, often from public sources like LinkedIn, company websites, or social media. They look for names, roles, ongoing transactions, and patterns in communication to make the scam more convincing.
Setup—Using the details they've collected, the scammer either hacks into a legitimate email account (through phishing or credential theft) or spoofs an address to closely resemble a trusted contact.
Execution—The scammer sends a carefully timed and worded email, often involving payment, account access, or gift card requests. It might reference real names or schedules to blend in with your normal workflow.
Outcome—If you end up completing the request and wiring money, sharing sensitive data, or sending gift cards, the scam succeeds.

Common Traits of a BEC Scam

While BEC scams can be sophisticated and hard to spot, they often leave subtle clues behind. You can identify the scam and react to it before it harms you by looking out for these warning signs:

Unusual sender details
Requests for personal or financial details via email
Pressure to act quickly or secretly
Questionable choice of payment method
Poor grammar or odd language

Unusual Sender Details

Review the sender’s email address and verify if it’s the same one you usually use to communicate with the sender.

Scammers often create fake addresses that are off by a letter or use a different domain that looks legitimate (like @mail.paypal.com instead of @paypal.com).

Also, if the sender claims they’re representing a business, remember that official communications won’t come from free Gmail/Yahoo accounts. For example, an email from “Microsoft Billing” using a Gmail address instead of a branded one is definitely fake.

Requests for Personal or Financial Details via Email

Some BEC scam emails will likely ask you to provide sensitive data (like passwords, Social Security numbers, or credit card numbers). In reality, reputable companies will never ask you to share personal or financial information via email.

A close-up photo showing a person tapping a numeric passcode on a touchscreen — *Source:* *indra projects*

The FBI also specifically warns about some BEC scam emails that contain phishing links or suspicious attachments^[5]. These are designed to install malware on your device once you click on them, believing they come from a trusted source.

Pressure To Act Quickly or Secretly

Phrases like “URGENT – Action Required” or “Payment needed within 1 hour” are designed to cloud your judgment and push you to act quickly. Similarly, if the sender urges you not to share the message with anyone or claims the matter can only be handled via email, it’s likely a ploy.

Questionable Choice of Payment Method

Scammers prefer fast and irreversible payments. If an email supposedly from a known party suddenly asks you to wire money to a new account, pay via cryptocurrency, or send gift card codes, it should immediately raise a red flag.

In some cases, the emails may feature an excuse like “Our normal payment system is down, please wire to this account instead.” This is another common sign of payment fraud.

Poor Grammar or Odd Language

Although many scam emails can be polished and grammatically correct, strange phrasing, misspellings of names or companies, or awkward language are usually warning signs.

For example, an email claiming to be from your colleague “John” but referring to you in an overly formal way could indicate that John isn’t the actual sender.

How BEC Scams Impact Consumers

Once a BEC scam succeeds, the fallout can be immediate and deeply personal. Here are some potential implications:

Severe financial losses—You may lose thousands of dollars or even your life savings, especially in high-stakes situations like real estate transactions.
Emotional distress—Falling prey to a scam can often evoke shock, embarrassment, and guilt, as it may lead to losing trust in your own judgment.
Increased risk of identity theft—If scammers gain access to documents or accounts, they may use your information to open new lines of credit or commit further fraud in your name.
Long-term credit damage—Identity theft or unauthorized use of your financial information can harm your credit score and take months (or years) to fully resolve.

How To Protect Yourself From Falling Victim to a BEC Scam

While BEC scams can be deeply damaging, there are steps you can take to reduce your exposure to this type of fraud and react to it quickly:

Always verify a strange request
Secure your email accounts
Limit the information you share online
Use safer payment methods

Always Verify a Strange Request

Before completing a request you receive in an unsolicited email, always double-check its validity with the person it’s supposedly from.

A close-up photo of a computer screen with the word “security” displayed on it — *Source:* *Pixabay*

For instance, if you receive an email from your colleague asking for a quick loan, talk to them personally and verify if the email was actually from them. Similarly, if your bank emails you saying you need to transfer funds to a “safe account” due to fraud, call the number on your bank statement for verification.

Secure Your Email Accounts

Use strong, unique passwords and enable two-factor authentication (2FA) on your email and any other account that offers this kind of protection. This stops scammers from getting in, even if they somehow obtain your password. Also, keep your devices and antivirus software updated to guard against malware that could steal account information.

Limit the Information You Share Online

Be mindful of what you post publicly on social media or other online platforms. BEC scammers often use these channels to gather personal details that will make their impersonation more convincing.

For example, if you announce on Facebook that you’re about to close on a house, a scammer could target you or your realtor with a fake email at the critical moment. Still, it’s not about living in fear—just use privacy settings and think twice about broadcasting sensitive milestones (like big purchases or important business deals).

Use Safer Payment Methods

In case a BEC scam succeeds and someone gets access to your financial details, using safer payment methods can help limit the fallout and reduce the risk of lasting damage.

Whenever possible, choose payment methods that come with built-in fraud protection. Credit cards are typically safer than wire transfers, as they allow you to dispute unauthorized charges and limit your liability. Under the Fair Credit Billing Act (FCBA), you're usually responsible for no more than $50 in fraudulent credit card charges^[6] (and many card issuers waive even that).

Even better, think about using a virtual card for online payments. Virtual cards come with temporary or single-use card numbers that forward charges to your actual account while shielding your real card information. This adds an extra layer of defense—if a virtual card number gets stolen or misused, you can simply deactivate it and make it useless for further charges.

While some banks offer basic virtual card features, a dedicated virtual card provider like Privacy offers greater flexibility, advanced controls, and a more seamless online payment experience.

Avoid Exposing Your Card Details With Privacy Virtual Cards

Privacy allows you to create unique 16-digit virtual card numbers with a randomly generated CVV and expiration date. These virtual cards are linked to your bank account or debit card and can be used with most merchants that accept Visa^® and Mastercard^®.

For secure online transactions, Privacy offers three types of virtual cards, each with different features and levels of control:

Card Type	Benefit	Best For
Single-Use Cards	These cards automatically close shortly after completing the first payment, which makes them useless if stolen.	They can be used for one-time purchases or shopping on unfamiliar websites.
Merchant-Locked Cards	These cards “lock” to the first merchant they’re used with, and if stolen, they won’t work elsewhere.	They’re ideal for recurring payments like subscriptions.
Category-Locked Cards	These “tie” to a specific merchant category (such as groceries or entertainment), and if used outside the specified category, Privacy declines the charges.	They help with budgeting or managing expenses.

‍

If you think your information has been compromised, you can pause or close your Privacy Cards anytime to block unwanted charges. You also have the option to set spending limits, helping you keep any unauthorized charges under a defined amount in case your card details fall into the wrong hands.

Additional Features of Privacy

In addition to robust card controls and fraud protection, Privacy offers thoughtful features designed to make your online payment experience more seamless and flexible:

Browser extension—Generate and autofill virtual cards directly from your browser for faster, smoother checkouts. Available on Chrome, Edge, Firefox, Safari, and Safari for iOS.
Mobile app—Manage your Privacy Cards on the go. With the Privacy App (Android or iOS), you can create new cards, adjust limits, and monitor transactions from your smartphone.
1Password integration—Easily store and autofill your Privacy Card details using the 1Password browser extension without having to memorize or manually enter card info.
Shared Cards—Share Privacy Cards securely with trusted family or friends for shared spending without exposing your actual card details.
Card Notes—Add notes to your cards to stay organized, whether it's labeling a card with a merchant name or tracking subscription renewal dates.

Get Started With Privacy

Privacy Cards are available to U.S. residents who are 18 or older and have a checking account with a U.S. bank or credit union. Getting started is simple—just follow these steps:

Visit the signup page
Enter your KYC details to verify your identity
Link a funding source, such as a debit card or bank account
Generate your first Privacy Virtual Card

Privacy offers four monthly plans, as outlined in the table below:

Plan	Cost (per Month)	Number of Virtual Cards (per Month)	Features
Personal	Free for domestic transactions	12	Ability to create Single-Use & Merchant-Locked Cards All card spending controls Access to the Privacy app and Privacy Browser Extension
Plus	$5	24	All Personal plan benefits Priority support and Live Chat (Mon–Fri, 9 a.m.–5 p.m. ET) Option to create Category-Locked Cards Shared Cards Card Notes
Pro	$10	36	All Plus plan benefits 1% cashback on eligible purchases (up to $4,500 per month) No foreign transaction fees
Premium	$25	60	Everything in Pro

References

^[1]FBI Internet Crime Report. https://www.ic3.gov/AnnualReport/Reports/2023_IC3Report.pdf, sourced April 10, 2025

^[2]Cyber Security Drive. https://www.cybersecuritydive.com/news/bec-phishing-kit-microsoft-365-business/692988,sourced April 10, 2025

^[3]Microsoft. https://www.microsoft.com/en-us/security/blog/2021/05/06/business-email-compromise-campaign-targets-wide-range-of-orgs-with-gift-card-scam/, sourced April 10, 2025

^[4]NBCS San Diego. https://www.nbcsandiego.com/news/investigations/national-investigations/down-payment-scam-real-estate-escrow-home-buying-scams/3442105, sourced April 10, 2025

^[5]Federal Bureau of Investigation. https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise, sourced April 10, 2025

^[6]Federal Trade Commission. https://consumer.ftc.gov/articles/using-credit-cards-and-disputing-charges, sourced April 10, 2025

‍

Privacy — Seamless & Secure Online Card Payments

Checkout securely online by creating unique virtual card numbers for every purchase. Avoid data breaches, unwanted charges, and stolen credit card numbers.