Business Email Compromise (BEC) is one of the most damaging online crimes—not because of complex technology, but because it relies on people. These scams are built on social engineering: the careful manipulation of trust, routine, and urgency to get someone to reveal information or make a mistake.
For faculty and staff at a large university, BEC attacks are especially dangerous because they are designed to blend seamlessly into normal, everyday communication. Messages often look like they come from someone you know. They sound routine. They ask for quick help. And that’s exactly what attackers count on: our instinct to trust and respond.
Understanding how these scams work is one of the most effective ways to protect yourself and help safeguard the UBC community.
How Attackers Make Messages Look “Official”
Cybercriminals attempting BEC scams focus on impersonating trusted people and systems so they can steal money or gain access to confidential information. They rely on familiarity, plausible details, and urgency to bypass your usual caution. Here are the most common tactics.
The Executive Emergency
A common BEC tactic involves pretending to be an executive—your boss, a department head, or the president of the university. Sometimes referred to as CEO fraud, these emails use urgent language to pressure you into acting quickly. They might ask you to buy gift cards, share sensitive information, or send a wire transfer to an unfamiliar account.
These messages often feel legitimate because attackers do their homework. They may use public details about UBC roles or previous communications to make the request seem real and time-sensitive. The urgency is intentional: when a message feels critical, you’re less likely to pause, ask questions, or follow established processes.
Deceptive Details and Spoofing
Appearances matter in a BEC scam. Attackers often mimic legitimate UBC or vendor email addresses with slight variations—known as spoofing—designed to fool the eye. They may register typo-squatted domains that differ from the real address by just a single character.
If an attacker gains access to an actual account, they may go a step further by adding hidden forwarding rules. These rules automatically send certain emails—especially those related to invoices or payments—to an external address. To remain undetected, attackers sometimes configure the mailbox to delete these forwarded messages, preventing the victim from noticing the unusual activity.
Why University Faculty and Staff Are Targeted
Higher education is a prime target for BEC attacks, and university employees face unique risks. One example is the “payroll pirate” scam, where attackers compromise an employee’s account to access HR systems and change direct deposit information. Future paycheques are routed to an account controlled by the attacker, leaving the victim unaware until payment day.
Phishing emails aimed at university communities often impersonate leaders or HR departments, using subject lines tied to compensation, compliance, or even campus health alerts. These messages look familiar and timely, making it easier for attackers to trick a recipient into clicking a link and providing credentials.
Practical Steps to Protect the UBC Community
Staying safe doesn’t require technical expertise—just awareness and a few reliable habits. Each of the following practices helps protect both you and the broader UBC community.
| Actionable Takeaways | Why This Works |
|---|---|
| Enable Multi-Factor Authentication (MFA) | MFA prevents attackers from accessing your mailbox even if they steal your password. |
| Verify Every Urgent Request | Urgency is a key red flag. Always confirm unexpected financial or sensitive requests through a trusted channel—such as a known phone number—not the contact information in the suspicious email. |
| Scrutinize the Sender | Small differences in spelling or unusual domains can signal spoofing. Taking a moment to check helps you catch subtle red flags. |
| Use Dual Approval for Finances | Requiring a second person to approve wire transfers or new banking details stops attackers who rely on one hurried response. |
| Know What Not to Click | Links in unsolicited or unexpected messages are a common entry point. Avoid clicking and instead navigate to the site through a bookmark or by typing the address yourself. |
| Act Quickly if Something Feels Wrong | Resetting your password and reviewing your email rules can limit damage if an attacker gains access. Suspicious forwarding rules are a common indicator of compromise. |
Protection Starts with Awareness
BEC attacks work because they target people, not systems. Your attention, skepticism, and willingness to verify unexpected requests are powerful defenses. If an email feels urgent, unusual, or simply “off,” trust that instinct—reach out to a colleague, check with your supervisor, or contact your support team before taking action.
By staying aware and adopting these habits, every faculty and staff member contributes to a safer digital environment. Together, we help protect personal information, safeguard university resources, and strengthen the resilience of the UBC community.
If something doesn’t look quite right, pause—and double-check. That quick moment of verification is often all it takes to stop a scam in its tracks.