Spot the Fake: BEC Verification Guide
Recognize deepfake and BEC signals, then apply simple verification
Learn to identify business email compromise scams using plain-English red flags, a two-step callback policy, and ready-to-use verification templates for your finance team.
What's Actually Happening: The Scam in Plain Terms
Business email compromise (BEC) is a type of fraud where criminals pretend to be someone you trust—usually an executive, vendor, or business partner—to trick employees into sending money or sharing sensitive information.
Traditional vs. Modern BEC
Traditional BEC relied on fake emails that mimicked a boss's writing style. Modern BEC has evolved significantly. Criminals now use artificial intelligence to clone voices and create realistic video of real people.
Someone could call you sounding exactly like your CEO, or appear on a video conference looking and speaking just like a colleague you've known for years.
How It Typically Works
Research Your Company
Criminals research your company using LinkedIn, your website, and public records
Identify Key Personnel
They identify who handles money and who gives approval
Create Fake Communications
They create fake emails, calls, or video using AI technology
Contact an Employee
They contact an employee with an urgent-sounding request
Request Money or Credentials
The request usually involves sending money or sharing login credentials
The Technology Is More Accessible Than You Think
The technology required for these attacks has become accessible and affordable. Voice cloning can work from just a few minutes of audio—easily gathered from conference presentations, podcasts, or social media videos.
6 Red Flags Anyone Can Spot
You don't need technical expertise to identify most BEC attempts. These warning signs apply whether you're receiving an email, phone call, or video conference:
Unusual Urgency
The request comes with pressure to act immediately. Phrases like "this needs to happen before end of day" or "don't wait for normal approval" should trigger extra scrutiny.
Legitimate urgent requests can wait 15 minutes for verification.
Different Communication Channel
Your CEO normally emails, but suddenly they're on WhatsApp. Or they're calling from an unknown number instead of their usual extension.
Any switch to an unexpected platform—especially for financial requests—warrants verification through established channels.
Request for Secrecy
"Keep this between us" or "don't discuss this with anyone else" are manipulation tactics.
Real business transactions don't require hiding them from your own team.
Changes to Payment Details
A vendor suddenly has new bank account information. Or a familiar contact asks you to send funds to a different account "just this once."
Changes to established payment routing are a primary indicator of fraud.
Something Feels Off
Trust your instincts. If the tone seems different, the request doesn't match normal patterns, or something simply feels wrong—pause and verify.
Your gut feeling often notices inconsistencies before you can consciously identify them.
Resistance to Verification
When you say "let me call you back to confirm," and the person discourages that or tries to keep you on the line—that's a significant red flag.
Legitimate requesters welcome verification.
Remember: When in Doubt, Verify
Any single red flag should prompt verification. Multiple red flags together are strong indicators of an attempted scam. Trust your training and your instincts—taking an extra few minutes to verify is always the right call.
The Two-Step "Call Back" Policy
This simple verification process stops most BEC attacks. Make it standard practice for any request involving money, credential sharing, or changes to vendor information.
Hang Up and Call Back
Break the attacker's control
Don't use contact information provided in the suspicious message. Instead:
Why this works: This breaks the attacker's control over the communication channel. Even sophisticated voice cloning can't intercept a call you initiate to a legitimate number.
Verify Specific Details
Confirm during your callback
During your callback, confirm:
Document the verification: Note who you spoke with, when, and what they confirmed. This creates an audit trail and reinforces good habits.
For High-Value Transactions
Define your own threshold—perhaps anything over $5,000—and apply enhanced verification:
- Require in-person or video confirmation with someone you can visually identify
- Require a second approver for the transaction
Finance Team Checklist
Print this checklist and post it where your finance team processes payments:
Before Processing Any Wire Transfer or Payment Change:
Additional Safeguards
Tip: Print this checklist and laminate it for durability. Post copies near every workstation where payment processing occurs.
Request Verification Template
Use this template when you need to verify a request. Customize it for your organization and save it where your team can access it quickly.
Subject: Verification Needed - [Brief Description of Request] Hi [Name], I received your request regarding [describe the request: wire transfer, payment change, information sharing, etc.]. Following our verification procedure, I'm confirming through this separate channel. Could you please verify: - What you're requesting: [restate the specific action] - Amount (if applicable): [state the amount] - Account/destination details: [state where payment would go] - Timeline: [when this needs to happen] Once I hear back from you through [specify: phone call to your office line, in-person, etc.], I'll proceed with processing. Thanks for understanding—these steps protect both of us. [Your Name] [Your Phone Number]
Key Elements to Include
Feel free to adapt this template. The key elements are:
Save Locally
Store this template in a shared document or email signature for quick access.
Customize Per Team
Adjust the language and fields to match your organization's terminology.
Train Everyone
Make sure all team members know where to find and how to use this template.
Building Good Habits
Technical controls matter, but human judgment is your most effective defense against these scams. A few cultural practices help:
Make verification normal
When verification is standard procedure, nobody feels awkward asking "Can I call you back to confirm?" Executives should actively support this—even when it means their own requests get verified.
Remove time pressure
If your organization's culture makes people feel they can't pause to verify, that creates vulnerability. Leadership should explicitly authorize employees to slow down for verification, even on urgent requests.
Share near-misses
When someone on your team catches an attempted scam, share what happened (without blame). These stories build awareness better than any training module.
The Human Factor Is Your Greatest Asset
Technology helps, but your team's awareness and willingness to pause and verify is what actually stops these attacks. Creating a culture where verification is expected—not questioned—turns every employee into a security checkpoint.
For Leadership
Lead by example. When your own requests get verified, respond positively. Celebrate team members who catch suspicious activity. Make security a shared responsibility, not an obstacle to productivity.
When Something Does Happen
If you suspect you've been targeted—or if a fraudulent payment has been made—act quickly:
Contact your bank immediately
Request they recall the wire transfer. Speed matters here; recovery becomes less likely as time passes.
Report to the FBI's Internet Crime Complaint Center
File a report at ic3.gov—this helps track patterns and sometimes aids recovery.
Visit ic3.govDocument everything
Save emails, note phone numbers, record times and details while fresh.
Notify your team
Others may receive similar requests; alerting them prevents additional losses.
Time Is Critical
Wire transfer recalls have the best chance of success within the first 24-72 hours. After that, recovery becomes significantly more difficult. Don't wait to investigate internally—contact your bank while you gather information.
Keep This Information Handy
Before an incident occurs, document and store in an accessible location:
- Your bank's fraud department phone number
- Key contacts at your financial institutions
- Your cyber insurance provider (if applicable)
- Internal escalation contacts
Summary
Executive impersonation scams have become more convincing with AI-generated voices and video, but the defense remains straightforward: verify requests through known channels before acting. The two-step callback policy, combined with healthy skepticism toward urgent requests, stops the vast majority of these attacks.
The criminals behind these scams rely on urgency, authority, and trust. Your counter-strategy is simple: slow down, verify independently, and follow your procedures regardless of who appears to be asking.
Key Takeaways
Related Resources
Take the Next Step
This guide focuses on practical awareness for non-technical teams. For technical implementation of email security controls, comprehensive risk assessment, and organization-wide security improvements, explore our additional resources.
This guide is designed for educational purposes. For organization-specific security policies and procedures, consult with qualified cybersecurity professionals.