BEC scam

Share this post

BEC scam: A daylight robbery can start with an “official” email

, Post Date: 3. June 2026, 11:16

Share this post

Article by Sandra Horma, Head of the Fraud Prevention Committee of the Estonian Banking Association

The disappearance of nearly €700,000 from the accounts of the Estonian Artists’ Association came as a shock to the public. Not only because of the amount involved, but also because of how human the entire scheme was from the very beginning. The criminals did not force their way into a safe or breach the bank’s security systems. They made a phone call, spoke convincing Estonian, first posing as representatives of a trusted public institution and later as bank employees. They persuaded the organisation’s chief accountant that by acting quickly, she was helping to prevent an even greater loss. In the process, she lost not only the organisation’s funds but also her own personal savings.

While the details of this case are extraordinary, the underlying logic is not. We are no longer dealing primarily with fraudsters who are highly skilled hackers, but with criminals who are expert manipulators. They exploit urgency, trust, goodwill, and the fear of making a mistake. The same pattern repeats itself every day among both individuals and organisations. The police receive 50–60 reports daily of attempts by scammers to manipulate people into falling victim to fraud. On average, around ten individuals or businesses lose money every day. In the first four months of this year alone, 1,100 cases of organised fraud have been registered in Estonia, causing total losses of approximately €8 million.

One of the most common fraud schemes targeting businesses is Business Email Compromise (BEC). Simply put, this occurs when fraudsters create seemingly professional email correspondence, manipulating the recipient while impersonating a company executive, employee, or business partner. Their goal is to persuade someone to transfer money to a fraudulent bank account.

Recently, an Estonian company lost nearly €1.6 million as a result of a BEC scheme. The company received what appeared to be an email from one of its business partners, requesting that future invoices be paid to a new bank account. The message looked as though it had been sent by legitimate representatives of the partner organisation, but in reality it originated from a fraudulent account. Although the company had implemented the four-eyes principle, this was not enough to prevent the fraud.

Court practice shows that responsibility in such situations does not necessarily rest solely with the person who executed the transfer. In one recent case, a non-profit organisation filed a claim against one of its employees. The organisation’s accountant had made three transfers based on fraudulent emails, resulting in losses amounting to tens of thousands of euros. Although part of the funds was later recovered, the organisation brought legal action against the accountant. The court found that the accountant had indeed breached her duties, but ultimately divided liability equally between the accountant and the organisation. In reducing the compensation amount, the court took into account, among other factors, that the organisation had failed to implement appropriate IT security measures, had not provided cybersecurity training, and had not sufficiently warned the employee about the risks of phishing emails. This serves as an important lesson for every organisation: if employees are expected to recognise fraud attempts, they must also be provided with the tools, training, and clear procedures necessary to act appropriately in critical situations.

Fraud that does not look like fraud

The danger of business email compromise lies in its remarkable authenticity. The email does not promise lottery winnings, ask for passwords in broken language, or necessarily contain suspicious links. On the contrary, it can be virtually indistinguishable from the routine communications that employees receive and trust every day.

“Please use our new bank account for future payments.”
“This invoice must be paid today.”
“A board decision requires an urgent transfer.”

These are the kinds of messages that form part of the daily workflow in many organisations, and that is precisely what makes the scheme so dangerous. In such situations, it is difficult to attribute the problem simply to negligence. More often, people are acting in a very human way, relying on routine and established habits.

Although the Artists’ Association case followed a somewhat different pattern, the lesson remains the same. The scheme was not centred around a single fraudulent invoice, but rather a multi-stage process of psychological manipulation. The fraudsters began with a phone call allegedly from Omniva, Estonia’s postal service, followed by calls from individuals claiming to represent the “Bank of Estonia” and the police. The accountant was convinced that she was participating in a confidential operation to protect the organisation’s funds. As a result, she installed remote-access software on her computer and authorised transactions using her PIN codes. Ultimately, the organisation’s money was transferred to foreign bank accounts.

Criminals have become so professional that they can persuade even highly experienced individuals to act in ways that, in hindsight, seem illogical. They know how to choose the right moment and the right target, and they know exactly which psychological triggers to use. For some people, fear is the strongest motivator; for others, it is a sense of duty, a desire not to disappoint a superior or business partner, or the belief that they are doing something necessary and responsible.

Cyber risk ≠ IT department

For businesses and organisations, this means that cybersecurity cannot be viewed solely as the responsibility of the IT department. Business email compromise does not care whether an organisation has a firewall, antivirus software, or a sophisticated password policy. Once an invoice reaches a person who has the authority to move money, the most important factors become the organisation’s internal controls and decision-making processes.

Can a large payment be made by a single individual? Is any change to a bank account always verified through a separate communication channel? Does an employee feel empowered to say, “I need to verify this first,” even if the request appears urgent and seems to come from a manager or an important business partner? Is everyone in the organisation aware that the police, banks, and public authorities will never ask for PIN codes, bank cards, remote access to a computer, or request that someone keep information hidden from their employer?

Statistics and real-world experience show that these questions should not be taken for granted. Instead, every organisation and company should actively discuss and prepare for such scenarios.

How to protect yourself

Poorly written language or a suspicious email address are no longer the primary warning signs. These are typically characteristics of low-quality scams, whereas modern fraud schemes are far more convincing. Any email or phone call should raise suspicion if it requests a change of bank account details, asks for an unusually large payment, instructs someone to keep a transaction confidential, or creates pressure to act immediately to avoid negative consequences.

Similarly, alarm bells should ring if someone claiming to represent a bank, the police, or a business partner asks for PIN codes, bank card information, or requests that remote-access software be installed on a computer.

The simplest form of protection is verification. Never respond directly to the same email. Instead, call the business partner or manager using a previously known phone number. Another option is to verify the request using the organisation’s official contact information published on its website. If a business partner provides new bank account details, these must always be confirmed through a separate communication channel rather than by replying to the same email. If a manager requests an urgent payment, verify the request directly with the manager. If someone claims to represent a bank or the police, end the call and contact the institution through its official phone number to verify whether the previous call was genuine.

Six simple rules

1. Always verify changes to bank account details

If someone sends an email informing you of a new bank account number, do not automatically start using it. Verify the change by calling a previously known phone number or through another communication channel that has been agreed upon in advance. Do not use a new phone number provided in the email, click any links contained in the message, or reply directly to that email.

2. Enable multi-factor authentication

Although it may seem like an inconvenient extra step, multi-factor authentication can prevent significant damage. If an email account is protected only by a password, the risk is substantially higher. This is particularly important for employees who handle invoices, payments, or contracts.

3. Large payments should never be approved by one person alone

The so-called four-eyes principle should not mean that one person simply observes passively. Both parties must genuinely understand who the payment is being made to, what it is for, and whether the account details match previously verified information.

4. Slow down urgent payment requests

Fraudsters frequently rely on pressure tactics. An invoice is allegedly about to become overdue, a manager is “in a meeting” and asks for immediate action, or a business partner claims that work will be delayed unless payment is made right away. Whenever a request seems unusually urgent, take extra care to verify that the situation is legitimate.

5. Not everyone needs access to everything

Access to bank accounts and sensitive documents should be limited to those who genuinely require it. Organisations should periodically review user access rights, particularly when employees change roles or leave the organisation.

6. Act immediately if something goes wrong

If there is any suspicion that money has been transferred to the wrong account or that fraud may have occurred, do not wait and hope for the best. The first call should be made to the bank using its official phone number, followed by a report to the police. Legitimate institutions always understand and encourage people to verify requests through independent sources. Prompt reporting through official channels may help reduce the damage.

The Artists’ Association case is a painful reminder of how quickly losses can occur and how difficult or even impossible – it can be to recover the money afterwards. It serves as a warning to everyone who has access to company funds, invoices, and payment approvals. Every organisation should ask itself one critical question: do we have a system that can withstand the pressure if a key decision-maker becomes the target of manipulation?

Sandra Horma
Estonian Banking Association
Maakri 30, 10145 Tallinn

ATTENTION! The topics and articles in SimplBooks blog may not be legally accurate and we recommend to consult with a professional. The authors of SimplBooks do their best, but do not take any responsibility for mistakes in the articles. Laws that change over time must also be taken into account.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

06/08/2019

Sending electronic invoices is now free in SimplBooks!

Read More
27/01/2025

What ensures the reliability and security of accounting software?

Read More
Tax changes in Estonia 22/12/2025

Tax changes in Estonia in 2026

Read More

Free 30-day trial!

Register and try SimplBooks risk-free!

Join for free and try it out