SUBSCRIBE TO OUR BLOG

Section Menu

The costs of compromised emails

posted on Thursday, June 12, 2025 in SHAZAM Blog

Business email compromise, also known as email account compromise, is one of the most financially damaging cybercrimes. Americans lost $2.77 billion to cybercrimes directly related to BEC, according to the 2024 Internet Crime Report released by the FBI Internet Crime Complaint Center.  

Since email is a primary way of conducting both personal and professional business, it’s important to be diligent about these threats when using any email account. The good news is there are ways to protect yourself, your financial institution and your accountholders.  

Business email compromise scams 

BEC emails are created to look like they’re coming from a legitimate organization or person.  Their goal is to have the unsuspecting recipient share sensitive personal and financial information that can be used to gain access to personal financial accounts or an organization’s network. These emails play on people’s emotions by creating a sense of urgency or appearing from a trustworthy source to trick people into giving up information criminals want.  

In addition, cybercriminals sometimes gather personal information found on social media and websites to create realistic messages with persuasive subject lines, enticing victims to open the email. Examples of subject lines to look out for include those that contain an alert, an action or a request for information, according to the Cybersecurity & Infrastructure Security Agency.  

Before opening a questionable email, keep in mind cybercriminals might use one or a combination of the following methods to carry out a BEC scam.  

Spear phishing 

A spear phishing attack is an advanced form of phishing targeting a specific person or group within an organization. It’s often the top method cybercriminals use to conduct a BEC attack. Spear phishing usually involves a spoofed email to appear as if the email was sent from a trusted sender and typically encourages the person to click on a link or respond to an email.  

It's an effective form of phishing because it includes research on the intended target. Criminals leverage that information to increase their chances of breaching a network or for financial gain. 

Email or website spoofing 

Both fake emails and website spoofs are used to trick victims into sharing personal or sensitive information.  

To spot a potential email spoof, look for slight variations in legitimate addresses. A common BEC tactic is to add an extra letter to a coworker’s name. Criminals use this hiding in plain sight approach to trick victims into not thinking twice about sharing confidential information. Website spoofing is similar. Scammers create a fraudulent website by slightly altering the URL of a trusted company as a front to steal information.  

Malware 

Protect yourself, your financial institution and your accountholders by being aware of how to spot a potential BEC phishing attack and similar social engineering scams. Here are some tips from the FBI you can share with your accountholders:  

  • Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members or your birthday, you can give a scammer all the information they need to guess your password or answer your security questions. 
  • Be especially wary if the requestor is pressing you to act quickly. 
  • Be careful what you download. Never open an email attachment from someone you don't know and be wary of email attachments forwarded to you. 

Silence the scammers 

One last tip, help cardholders combat fraud by reminding them not to share their account number, debit card number or social security number, even if they receive an email, call or text from someone claiming to be from your financial institution or SHAZAM. A trusted financial partner won’t ask for any sensitive information on an outbound contact. When in doubt, cardholders should hang up and call your financial institution or SHAZAM directly. 

SHAZAM, Inc. and ITS, Inc. provide this blog for general informational purposes only. Our blog may be shared by a direct link wherein the content remains as originally presented and has not been altered. SHAZAM, Inc. and ITS, Inc. assume no responsibility for errors or omissions in the contents on the blog. By using this blog, reader agrees that the information published does not constitute nor is a substitute for legal advice which should only be sought from a qualified, licensed attorney.