Business Email Compromise (BEC) Scams: COVID-19 Related Email Attacks Top Threat to Financial Services

4 min readMay 6, 2020

Editor’s Note: This blog post was originally found on the Agari Email Security Blog.

By Armen Najarian

With billions of dollars in stimulus being earmarked for US companies and individuals reeling from the economic fallout of the coronavirus pandemic, business email compromise (BEC) rings are angling for a piece of the pie.

At the top of the menu: banks, lenders, and other financial services organizations chartered with managing key facets of this unprecedented distribution effort.

But for an industry long in the crosshairs of cybercriminal organizations, this is in many ways business as usual. It’s the stakes that just got higher, at the exact moment when many organizations may find it harder to fend off attacks.

Over the last few weeks, the FBI, Europol, and other law enforcement organizations around the world have been sounding the alarm over a troubling rise in successful COVID-19 related phishing attacks and BEC scams targeting financial institutions and their customers.

But while the lure used in these advanced email schemes may be new and especially potent, the pattern is one that’s becoming all too familiar — and grows more costly by the day.

BEC: A ‘Once-in-a-Lifetime’ Opportunity

According to the FBI, one US-based bank recently received an email from fraudsters posing as the firm’s CEO, asking to expedite a previously-scheduled transfer of $1 million.

The message included a request to have payment details for the receiving bank account changed “due to the coronavirus outbreak and quarantine processes and precautions.”

Another financial institution lost a “significant” amount of money after receiving an email from a “supplier” requesting that payments on all invoices be redirected to a different account because their current financial institution was going through “coronavirus audits.”

Financial services employees have also been receiving phishing emails with variants of the subject line, “Internal guidance for business grants and loans in response to COVID-19.” Purporting to have come from a “senior executive,” these emails include embedded links pointing to a bogus Office 365 login page.

According CISO Magazine, one especially despicable scam involves a fraudulent email advisory from “healthcare authorities” informing recipients that they’ve been in contact with someone who’s infected.

The efficacy of this kind of social engineering is jaw dropping. According to Forbes, clickthrough rates for phishing emails have soared from less than 5% to over 40% for coronavirus scams.

Factor in more than $2 trillion in federal relief funds winding through the financial system, including risk-free loans managed by banks and other financial institutions, and you’ve got what one Secret Service agency calls, “a once-in-a-lifetime, target-rich environment for fraudsters.”

Phishing for Serious Bank

Email crime groups have also had plenty of practice, too. Over the last four years, they’ve used BEC scams to swipe more than $700 million per month from businesses worldwide.

According to a new survey from the Association of Financial Professionals, more than 81% of firms say they were impacted by BEC attacks in 2019, making BEC the top fraud threat financial professionals face today.

Direct financial spoils aren’t always the only objective, either. Some phishing expeditions are aimed at harvesting login credentials so fraudsters can pirate the recipient’s corporate email account.

From there, they effectively have an all-access pass to move laterally throughout the organization, hijacking one account after another in order to mine email conversations for intel that can be used in future scams — or worse.

According to PwC’s “Financial Services Technology 2020” report, organizations in the sector are rapidly flocking to cloud-connected services for core banking operations, as well as to store, manage, and analyze sizeable data assets.

Once fraudsters use compromised email accounts to gain access to these kinds of cloud service accounts, they’re free to seed them with ransomware or Remote Access Trojans (RATs).

They can also deploy emerging forms of “adversarial AI” designed to poison the data used for processing deposits, loans, and credit scoring, or hijack automated email responses to spit out sensitive data such as bank account information or credit card numbers.

But what can organizations do to protect themselves?

Flattening the Fraud Curve

In response to the growing threat from coronavirus-related fraud, the FBI is advising financial services organizations to train employees to be vigilant against email scams.

Among the red flags to look out for: last-minute changes in wire instructions or email account addresses, unexplained urgency, or a refusal to continue the conversation by telephone or online video conferencing.

The FBI also recommends the use of multifactor authentication and prohibiting automatic forwarding to external addresses and any legacy protocols for making email settings changes.

But beyond the need for phishing simulation training and beefed up email safeguards, the alarming rise in successful attacks underscores the importance of identity-based defenses that block the vast majority of email scams from ever reaching employees in the first place.

Within cloud-based environments, continuous monitoring and response technologies that recognize and automatically remove malicious emails that do manage to reach employee inboxes are also key.

By taking this kind of multilayered approach to email security, financial services organizations can put COVID-19 inspired BEC scams and phishing attacks on lockdown.

As it stands now, trillions may be riding on it.

To learn more about BEC scams, phishing attacks and other advanced email threats, read the Q1 2020 Identity Deception and Email Fraud Trends Report from Agari.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.