Skip to main content

Business Email Compromise (BEC) scams have cost businesses worldwide more than $5 billion dollars. A highly targeted type of fraud, a BEC play is aimed at senior executives and employees who handle money and sensitive information.

It’s no real surprise that senior executives are often targets of business fraud given their authority within the companies that they work. Among small and medium-sized businesses, two of the most common types of scams are business email compromise and spear phishing. In these attacks, criminals impersonate an executive in the hopes of tricking employees into transferring money or data to a fraudulent account.

Scammers can craft convincing, credible-looking emails that don’t raise red flags for the recipient by using information openly available online such as a person’s position, their team members and even their hobbies. So when an employee receives an email asking for money be transferred to a new account, for a large payment be made to a new vendor or for access codes to be changed, the employee has little reason to question the request.

Protecting your business from these types of attacks requires education and cooperation across all levels in your organization, particularly with those who have access to money and data. In the second episode of our podcast series: Real-Life Cyber Crime Stories, RBC Director of Awareness and Education Denise Pratt sits down with Detective Alpha Chan from the Toronto Police Services Cyber Crime Unit.

Listen to the podcast for Detective Chan’s stories, warnings and prevention tactics that can help protect your business from these sneaky scams.


Detective Chan explains that scammers have become savvy and creative in their tactics to dupe employees and impersonate senior executives. But with the right preparation, information and a healthy dose of suspicion they can be stopped.

Here are four ways you and your employees can protect your business from Business Email Compromise and Spear Phishing scams.

1. Understand and/or Limit Your Online Exposure

Cyber criminals can gather robust background information on individuals using details that are publicly available online through social networks like LinkedIn and Facebook. This helps them become convincing impersonators. As Detective Chan explains, “if you’re known as a controller or a treasurer… you have to understand the exposure that you have and [recognize that] you’re a high value target to scammers.”

Understanding that many individuals likely won’t stop posting profiles and updates on social platforms anytime soon, Detective Chan simply asks for awareness. “Be aware of your exposure and take certain precautions when dealing with emails,” he advises.

2. Pay attention to details

One of the main ways fraudsters impersonate executives is by spoofing their email addresses. Unfortunately, criminals can easily create email addresses that appear to be very similar to the email of the person they are trying to impersonate. Consider an email coming from someone at – but instead of an “o” they use the symbol “0.” Paying close attention to details can end up saving your company from significant losses.

3. Don’t rush

Many fraudsters succeed at scamming an individual because they don’t give them time to think. They often send an email requesting an ‘urgent’ transfer of funds, with serious consequences should the employee not act immediately. But as Detective Chan explains, “there is really no rush. You can take a pause. If something doesn’t seem right, just take a moment and look at what you’re doing before pressing send.”

He further encourages employees to trust their instincts. If something doesn’t look right, it probably isn’t.

4. Have processes in place

Finally, the best way to guard against these types of scams is to have standardized processes in place – where even if an employee gets tricked, the business won’t suffer a loss.

This is particularly vital for busy teams and companies. “If you are fortunate to have a very busy and fruitful business, you’re going to have a lot of emails transferring money out… So all it takes is just one slip to lose money,” says Detective Chan.

Proven processes include:

  • Dual controls for payments. This process ensures that at least two people must approve a transaction before it goes through. Having two sets of eyes on a transaction increases the chances that something suspicious will be caught.
  • Face-to-face verification. In some cases, especially if your office is small, implementing a step where all fund transfers must be verified face-to-face can avoid falling victim to a scam.
  • Non-email validation. If a request for funds is made via email, validating the request by a phone call can also stop the scam from being successful.
Download our Little Book of Big Scams to learn more about the common scams that are affecting Canadian businesses – and how you can protect your customers, your employees, and the future of your company.

April 7, 2020


Twitter LinkedIn Email