Business Email Compromise (BEC) Has Evolved to Cryptocurrency Payments: How to Stay Safe

As cybercrime evolves, so do the tactics of fraudsters. Business Email Compromise (BEC) attacks, once focused on traditional payment methods, now increasingly exploit cryptocurrency for illicit transfers. This shift introduces new challenges for businesses that want to take advantage of the benefits of cryptocurrency payments. It is critical to understand, at a high level, how cryptocurrency payments can be used in fraud and how to combat is a start to determine how to avoid fraud when using this payment method to pay vendors or accept payments from customers.   

What are Cryptocurrency Payments?

Cryptocurrency is a form of digital payments.  Digital payments are various electronic methods for transferring money or value, which offer a convenient and faster alternative to cash or check payments when making payments to vendors or receiving payments from customers. Other digital payment options include ACH or wire payments, credit card payments, and real-time payments such as Zelle or PayPal.  These other types of digital payments involve financial intermediaries and often have increased transaction fees and slower settlement times depending on the type of payment, payment currency and countries involved versus payments made by cryptocurrency.

Payments by cryptocurrency are decentralized and distributed, eliminating the need for financial intermediaries to validate and facilitate transactions. Cryptographic techniques and their protocol are used to verify fund transfers and control the creation of monetary units on the blockchain network. They have no physical form and exist only on the network. Digital currencies include Bitcoin, Ethereum and Stablecoins and are increasingly used as a form of payment, particularly for online transactions that can be transferred to bank accounts once converted to preferred currency. 

Cryptocurrency is stored in wallets, which are software for storing cryptocurrency and serve as the digital interface to the blockchain network acting as a digital form of exchange. Wallets can be integrated into an accounting system allowing Accounts Payable (AP) to make payments if connected to the blockchain.  

Here is a typical payment using cryptocurrency wallets for the sender and the recipient:

Pros and Cons of Cryptocurrency Payments 

• Facilitates Online Transactions: Cryptocurrencies can be used for online payments.
• Enables Faster Cross-Border Payments: Cryptocurrency transactions are "nearly instantaneous" enabling rapid cross-border transfers. This offers immediate visibility into the settlement of a transaction for both the payer and the vendor.
• Payments Can Be Made in Foreign Currency:  Payments can be received in the preferred currency of the vendor. This also brings the volatility of conversion rates.
• Transactions are Immutable Records:   Transactions cannot be tampered with, and this shared record reduces disputes and compliance issues.
• Payments are Irrevocable:  Once funds are sent, they cannot be reversed.
• Decentralized Nature: Cryptocurrency operates without central financial intermediaries, which criminals exploit to facilitate illicit activities like theft, fraud, and money laundering.
•  Challenges Recovering Funds: Although cryptocurrency transactions are permanently recorded on public blockchains, making them traceable, significant challenges arise for law enforcement when funds enter jurisdictions with lax anti-money laundering laws or regulations.

Business Email Compromise (BEC) in Cryptocurrency Payments

The use of cryptocurrency by criminal actors is growing significantly.  In 2023, the FBI's Internet Crime Complaint Center (IC3) received over 69,000 complaints related to financial fraud involving cryptocurrency, with estimated losses exceeding $5.6 billion. By 2024, cryptocurrency-related complaints totaled 149,686, with losses of $9.3 billion, a 66% increase from the previous year.

Business Email Compromise (BEC), as a scam perpetrated by fraudsters and targeting businesses or individuals by compromising email accounts and other forms of communication through social engineering or computer intrusion techniques to conduct unauthorized transfer of funds, has also increased. Fraudsters have expanded BEC scams to cryptocurrency payments resulting in increased losses from $4.8 million in 2023 to $63 million in 2024.

Image Credit:  FBI 2024 Internet Crime Report, Page 35

 2025 Examples of BEC Fraud With Cryptocurrency Payments

While bank account details are not needed for cryptocurrency payments, there is still a threat of fraud.  That is because the cryptocurrency address is equivalent to the bank account details when making payments to vendors or receiving payments from customers.  The same way fraudsters provide bank account information to divert payments, they want payments diverted to their cryptocurrency address.  Another scenario involves getting access to a wallet’s private key, if they do, it will give fraudster’s access to the cryptocurrency funds of that wallet to steal.

Here are three recent examples of cryptocurrency fraud using BEC tactics.

1. Phishing Email Resulted in $100,000 Loss – The victim transferred this amount to the fraudster’s wallet after the fraudster inserted fake transactions into the payer’s wallet, and when the payer copied and pasted the seemingly legitimate wallet’s address from those fake transactions, the funds were sent to the fraudster.
2. Fake Support Emails – Fraudsters used a company’s contact form to send fake emails that appeared as legitimate emails from customer support.  Social engineering was used to request the victims share their wallet backup.  The wallet backup included their private key which gave fraudsters access to their cryptocurrency wallet.
3. Impersonation Led to $250,00 Loss – A fraudster posed as part of the US President’s 2025 inaugural committee, sent an email with a spoofed email address requested the victim send cryptocurrency funds.  Once the funds were paid there were soon distributed across multiple cryptocurrency addresses. 

Tips to Avoid Cryptocurrency Fraud

1. Treat Cryptocurrency Addresses as Sensitive Data – Collect this information securely, and limit who has access to see it in your accounting system.
2. Never Reveal Private Key  - Giving out the private key gives access to the cryptocurrency wallet, allowing access to drain the wallet without notification or permission.
3.  Require Dual Authentication  – Require at least two team members to move funds and limit access to the wallet.
4.  Add Payment Confirmation – Verify that the funds were received as soon as possible after the transaction is completed.

Conclusion

As with any payment method, vigilance and robust security protocols remain essential for cryptocurrency payments to avoid growing fraud.  Cryptocurrency payments have benefits as a digital payment option, however, as fraudsters continually evolve their tactics, your process to protect remittance information will continue to be critical. 

Sources:

• Crypto scams: trader loses $150,000 by signing a phishing transaction on Ethereum
• Crypto: Trezor Warns Against Fake Support Emails
• Hackers May Have Used “Fake” Donald Trump Inauguration Emails to Steal $250,000 From Crypto Investor
• Federal Bureau of Investigation (FBI) - IC3 2023 Cryptocurrency Fraud Report
• Federal Bureau of Investigation (FBI) – IC3 2024 Fraud Report