Think Twice Before You Pay: Spear Phishing a Growing Threat to Businesses

By: Karen N. Shapiro

Related Attorney(s): Millard S. BennettDonald N. SperlingDavid S. De JongAndrew L. SchwartzMark W. SchweighoferDarla J. McClureBeth McIntosh Irving

Media Type: Alert

Every time you thwart one prince with a large inheritance awaiting your claim, there is another one just around the corner. A new email phishing scam has emerged, and it is a lot harder to spot than the usual tricks to which we’ve become accustomed. “Business Email Compromise” (BEC) is a targeted attack on a business with the goal of initiating an unauthorized wire transfer. “Spear Phishing” is the name given to these types of attacks because of their targeted nature. A recent incident was brought to the attention of Stein Sperling’s business law department. We wanted to make sure our clients are aware of the risks and know how to protect themselves.

In a BEC scam, the perpetrators compromise a legitimate email account or create a spoofed email account that closely resembles the actual email address belonging to a business’s CEO or CFO. From that account, they are able to send messages, which look like they are from the CEO or CFO, to an employee with the ability to conduct a wire transfer. In some cases, scammers have even monitored emails from the CEO or CFO ahead of time to get a sense of their writing style and how wire transfers are typically initiated. Occasionally, they will monitor the email account, or the individual’s social media accounts, to find a time when the CEO or CFO will be out of the office, creating difficulty in verifying a request. They then request a wire transfer be sent to a foreign bank account, usually with urgency.

The FBI estimates that, in the United States alone, over 7,000 people have fallen victim to spear phishing schemes, for a total loss of over $700 million. BEC scams continue to grow and evolve, with a 270% increase in identified victims since January 2015. Victims range from small to large businesses in a variety of industries. 

What steps can you take to safeguard your business from these types of attacks? 

  • Use a reputable spam filtering service that provides real-time definitions of ongoing spam campaigns and quarantines emails that match spam campaign definitions or contain links to websites that are known to be harmful.
  • Avoid using a free web-based email for your company. Instead, establish a company website domain and use it to set up company email accounts.
  • Educate employees on spotting and deleting spam emails to prevent “malware” (computer contaminants).
  • Consider establishing an organizational best practice of forwarding emails and selecting recipients from one’s own address book rather than simply replying to emails.
  • Establish other communication channels, such as telephone calls, to verify significant transactions that meet specific characteristics you determine. For example: 
    • Transfers over a specific dollar threshold;
    • A new wire payment recipient;
    • Wire transfers to countries outside of the usual business network; or
    • A new account number for an existing account
  • Limit the number of employees who have the authority to approve and/or conduct wire transfers.
  • Beware of changes in business practices (e.g., if a current business contact asks you to use their personal email address). Always verify via other channels that you are still communicating with your legitimate business contact.
  • Be suspicious of any request for secrecy or any unusual sense of urgency in a transfer request.
  • Be cautious about information posted on personal social media accounts and company websites including job duties, hierarchical information and out-of-office details.

If you are a victim of a BEC attack, act quickly:

  • Contact your financial institution immediately upon discovering the fraudulent transfer;
  • Request that your financial institution contact the corresponding financial institution where the transfer was sent; and
  • Contact your local FBI office. For the Washington, D.C., area, including Northern Virginia and Maryland, visit or call 202-278-2000.

Should you have any questions about BEC scams, please contact a member of our business law department at 301-340-2020.

See All Media

Resource Center

Sperm Donor Agreements: Why You Need One Even When Using…

The purpose of a donor agreement is to clearly establish that donor is not the child's legal parent.

Read more - Sperm Donor Agreements: Why You Need One Even When Using…
Estate Planning FAQs: Maryland Probate

Letters of Administration? "Interested Persons"? Accounts? Learn about the Maryland Probate Process.

Read more - Estate Planning FAQs: Maryland Probate
Wage Laws in Maryland, D.C. and Virginia: Common Issues

Missteps, such as misclassification of employees and paying workers "salary," can lead to claims.

Read more - Wage Laws in Maryland, D.C. and Virginia: Common Issues
FAQs about Wage Laws in Maryland, D.C. and Virginia

The laws are complex and provide for significant penalties for any violations.

Read more - FAQs about Wage Laws in Maryland, D.C. and Virginia