Exploiting trust for financial gain : an overview of business email compromise (BEC) fraud

Purpose: This paper aims to explore current knowledge of business email compromise (BEC) fraud, or approaches that specifically target organisations for financial gain, through the exploitation of trusted relationships. BEC fraud affects organisations globally and is estimated to have netted offenders over US$26bn since 2016. Despite the sheer magnitude of these losses, there is a dearth of academic research seeking to better understand this crime type, and prevent it from occurring. Design/methodology/approach: This review summarises the known literature on BEC fraud. It uses a variety of academic and industry sources to ascertain the current state of knowledge, including how it is perpetrated, its impact (on businesses and individuals), how law enforcement have responded and its prevention. Findings: This review highlights many gaps in knowledge surrounding BEC fraud. There has been a large focus on the technical aspects of BEC fraud, to the detriment of the human elements. Often, BEC fraud is successful through targeted and effective use of social engineering techniques and is able to overcome any technical solutions through the manipulation of personal relationships. Further, while the financial impacts of BEC fraud are obvious, there is no known research which has explored the non-financial harms of BEC fraud (across organisational and individual perspectives). With companies starting to (unsuccessfully) take legal action against those who have responded, there is a clear need to understand how organisations can better respond to incidents when they occur. Finally, there are gaps in knowledge on what is the best combination of both technical and human measures to prevent BEC fraud. Research limitations/implications: This review is based on information presently available, and as indicated, there are significant gaps in what is currently known. Practical implications: This review highlights the need to undertake research into the current gaps, with a view to improving best practice knowledge on prevention and response. Social implications: Currently unknown, BEC fraud is posited to have significant impacts at both personal and collective levels. Increased knowledge of these non-financial impacts will improve how organisations respond to BEC fraud and how employees can be supported before and after an incident occurs. Originality/value: Despite the magnitude of the problem, there is limited academic scholarship on BEC fraud. This literature review offers a summary of current knowledge and advocates a strong research agenda moving forward.