Avoid Being Hooked by a Phishing Attack

posted on Friday, March 24, 2023 in SHAZAM Blog

By now, most of us know that a phishing attempt can come in the form of an email, text, direct social media message or even a phone call. But according to the FBI, business email compromise (BEC), also known as email account compromise, is one of the most financially damaging cybercrimes. 

Because email is a primary way of conducting both personal and professional business, it’s important to be diligent about phishing threats when using any email account. The good news is there are ways to block the bait and protect yourself, your financial institution, and your accountholders. 

Business Email Compromise Scams

BEC phishing emails are created to look like they’re coming from a legitimate organization, trustworthy coworker or acquaintance to trick someone into sharing sensitive personal and financial information that can be used to gain access to personal financial accounts or an organization’s network.  

In addition, cybercriminals sometimes gather personal information found on social media and websites to create realistic messages with persuasive subject lines, enticing victims to open the email. Examples of subject lines to look out for include those that contain an alert, an action or a request for information, according to the Cybersecurity & Infrastructure Security Agency

Before opening a questionable email, keep in mind cybercriminals might use one or a combination of the following methods to carry out a BEC scam: 


A spearphishing attack is an advanced form of phishing that targets a specific person or group within an organization. Spearphishing is an effective form of phishing because it includes research on the intended target and then uses that information to breach a network or for financial gain.

It usually involves email spoofing to appear as if the email was sent from a trusted sender, and then encourages the victim to click a link or respond to an email. Spearphishing is often the top method cybercriminals use to conduct a BEC attack.

Fake Email or Website Spoof

Both fake emails and website spoofs are used to trick victims into sharing personal or sensitive information. 

To spot a potential email spoof, look for slight variations in legitimate addresses. For example, adding an extra letter to a coworker’s name might be easy to miss. This is a common BEC tactic used to trick victims into not thinking twice about sharing confidential information. Website spoofing is similar. Scammers create a fraudulent website that mimics a trusted company and uses it to steal information. 


Malware is often spread by opening an email attachment or clicking on a link within an email. Once the malware infects a computer, criminals can steal a victim’s data, including passwords and financial account information. 

Malicious software can also infiltrate company networks, allowing cybercriminals access to legitimate email accounts, passwords and more.

Awareness is Key

Protect yourself, your financial institution and your accountholders by being aware of how to spot a potential BEC phishing attack and similar social engineering scams. Please read our blog on social engineering to learn more. 


Federal Bureau of Investigation
Cybersecurity & Infrastructure Security Agency

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney. 


comments powered by Disqus