Trending scam steals money — by simply asking employees for it

Someone holding a credit card as they make an online payment with a laptop computer.

When people think cybercrime, viruses, ransomware, and stolen passwords are usually top of mind.

Yet today’s hackers are increasingly taking a far less technically sophisticated approach to stealing money from university employees. They simply ask for it.

One such attack that is increasing at an alarming rate is called Business Email Compromise (BEC). Variations on BEC attacks are among the roughly 18 million suspicious emails that WSU cyber security efforts intercept and keep out of university employee inboxes each year. But some still get through.

BEC attackers look up information on the university employee they are targeting to make their requests for money more relevant and realistic to the individual. According to the FBI’s Internet Crime Center, there has been a 65% spike in reported BEC incidents in the United States since 2019, costing billions of dollars in losses. These attacks are stoppable and require a different set of defenses that one might not be familiar with. The attack typically follows a specific pattern:

1. Recon

Attackers will gather public information about an organization and/or individual from websites, social media and other sources.

  • What you should do:
    Be careful of what information is publicly available. Scammers will “name drop” and use personal information to build leverage.
Someone examining a social media profile on a laptop computer and smartphone.

2. Build trust

The attackers will contact the target and use the gathered information to convince the target of their legitimacy.

  • What you should do:
    Do not click on anything in an unsolicited email or text message. Be wary of anything asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to verify if a request is legitimate.
View over someone's shoulder as they work at a laptop computer.

3. Set the trap

The attackers ask for account information to be given to them or for payment of goods and services (often with a fake invoice to support their request).

  • What you should do:
    Create a process to inspect invoices, including verifying that goods or services were both ordered and fulfilled before paying.
Closeup of hands typing on a laptop computer.

4. Steal the funds

After successfully rerouting payments to an account they control, the attackers move the money away from the receiving account to prevent reversal of charges or tracking of the funds.

  • What you should do:
    Be highly suspicious if the requestor is emphasizing urgency.
Pile of various credit and debit cards in front of a laptop computer.

The threats that organizations face continue to evolve. Employees who suspect an email could be a BEC attack, should report it immediately to

Next Story

Research in the media discussion with science journalists Sept. 28

Find out what research stories interest some of the country’s top media outlets directly from journalists who write for them. Researchers are invited to join science writer Sara Zaske for a presentation and panel discussion Thursday, Sept. 28 from 1:30-2:30 p.m. on Zoom.

Recent News