• The Click Code
  • Posts
  • How to Spot and Stop Business Email Compromise (BEC) Scams

How to Spot and Stop Business Email Compromise (BEC) Scams

These smart, simple attacks cost Canadian businesses millions. Learn how to protect your inbox, money, and team with real-world tactics that work.

April 11, 2025

Not All Cyber Attacks Look Like Hacking

Some cyber attacks don’t need malware—they need you to trust the wrong email.

Business Email Compromise (BEC) is one of the fastest-growing scams targeting Canadian small businesses. It works because it’s smart, simple, and strikes when you're busy.

Scammers impersonate your CEO, CFO, vendors, or a member of the HR team, asking for money transfers, payroll changes, or gift cards—and they often get what they want.

If you’ve ever received a “Can you handle this quickly?” message that felt off, this guide is for you.

1. What Does a BEC Attack Look Like?

Scenario 1:
You get an email from your CEO:
“Can you process a quick transfer today for a vendor? I’m tied up in meetings—don’t call, just get it done.”

It looks legit. You act fast. The money’s gone.

Scenario 2:
A supplier emails you new banking details. You update your records. The next payment disappears.

These scams are simple and devastating.

Common BEC Scams:

  • Fake wire transfer requests from the CEO

  • Vendor “banking update” scams

  • Gift card purchase requests

  • Fake HR emails asking for payroll updates

2. How They Trick You: BEC Tactics

✅ Email Spoofing – Slightly altered email addresses that look real (e.g., [email protected])

✅ Stolen Inbox Access – They reply from a real account that’s already been hacked

✅ Urgency + Authority – “I need this now” or “Don't tell anyone” creates pressure

✅ Bad Timing – They send messages late Friday or during holidays when you're distracted

3. How to Protect Your Business from BEC

1. Always Verify Unusual Requests (Out-of-Band)

  • Don’t trust urgent requests in email or text.

  • Call, text or message using a known contact method—not the one from the suspicious message.

  • Make it a company-wide rule: no financial or sensitive action without a second check.

2. Use a “Safe Word” for High-Risk Requests

  • Set a secret phrase for finance or payroll changes.

  • No safe word = no action.

3. Secure Your Email Domain (SPF, DKIM, DMARC)

  • Use MxToolbox to check your settings.

  • SPF: Only your mail servers can send mail from your domain

  • DKIM: Signs your emails to prove they’re legit

  • DMARC: Tells email providers what to do with suspicious messages

Bonus: These protections help your real emails avoid spam filters and improve trust with customers.

4. Require Dual Approval for Financial Changes

  • Two people must approve:

    • Bank account changes

    • Large payments

    • Payroll updates

“Accounting tools like QuickBooks offer limited approval workflows, while Wave requires third-party integrations. Multi-approval settings are typically limited or not native.”

5. Train Your Team Regularly

  • Keep it short and simple.

  • Use free tools like Google’s Phishing Quiz.

  • Normalize the habit of slowing down and asking questions.

  • Share details of active scams

6. Lock Down Your Email Accounts

  • Enable Multi-Factor Authentication (MFA)

    • Use an app like Google Authenticator or a hardware key (YubiKey)

    • Avoid SMS where possible

  • Use strong, unique passwords stored in a password manager

4. BEC Isn’t Just a “Business” Problem

Freelancers and individuals are also targets:

  • “Hey, can you grab gift cards for a client?” (Not your real boss)

  • “Update your payroll account.” (Not real HR)

  • “We’ve changed our bank info.” (Fake vendor)

Protect yourself:

  • Always double-check payment or account updates with a call or direct message

  • Turn on MFA for personal email and cloud tools

  • Use a password manager to prevent password reuse

5. Improve Your Domain’s Security Reputation

Even if you don’t send mass emails, protecting your domain helps:

  • Prevents spoofing of your domain by scammers

  • Improves email deliverability—so your messages reach customers

Use tools like:

6. How to Flag Phishing Emails (and Help Protect Others)

Spot a suspicious message? Reporting it helps email providers and your IT team improve defences—plus, it keeps your inbox safer in the future.

Gmail

📌 On Desktop (Web Browser):

  • Open the email

  • Click the three vertical dots next to the "Reply" arrow

  • Select “Report phishing”

📌 On Mobile (App):

  • Open the email

  • Tap the three dots

  • Select “Report spam”

(Note: Gmail mobile doesn’t have a separate phishing report option—spam is the closest equivalent.)

Outlook / Microsoft 365

📌 On Desktop or Web App:

  • Open the email

  • Click the “Report” button

  • Or go to Message > Report Message > Phishing in the ribbon

📌 On Mobile App:

  • Open the email

  • Tap the ellipsis (…) icon

  • Select “Phish Alert”

(Requires your admin to enable the Microsoft 365 Report Message Add-In.)

7. If You’ve Been Tricked

If you’ve sent money or info to a scammer:

1️⃣ Call your bank immediately – they may be able to freeze or reverse the transaction
2️⃣ Report to the Canadian Anti-Fraud Centre:
antifraudcentre-centreantifraude.ca
3️⃣ Notify your insurer if you have cyber coverage
4️⃣ Document what happened – then update your process to prevent it next time

Final Thought: Trust, But Verify

BEC scams don’t break into your systems—they break into your trust.
All it takes is a well-timed, convincing email to cost you thousands.

But with a few habits and basic protections, your business can be a much harder target.

✅ Always verify
✅ Use MFA
✅ Train your team
✅ Protect your domain

📢 Next Week in The Click Code
We’ll walk you through a real BEC recovery scenario—what went wrong, what helped, and how they bounced back.

Subscribe to stay ahead. Stay secure. Stay smart.