By Luke Vander Linden, VP of Membership & Marketing, Retail & Hospitality ISAC

Every day, retailers may receive hundreds, if not thousands, of emails, invoices and payment requests. While these communications may seem standard, they present enticing opportunities for cybercriminals to impersonate trusted contacts, exploit relationships and redirect money or sensitive information.

Here’s a look at common “business email compromise” scams that show up in retailers’ inboxes, how they work and how to recognize and avoid them.

Types of BEC Scams

Attackers can execute BEC scams in different forms, but the goal is consistent: to manipulate employees into sending money or revealing sensitive data.

Understanding the main types of BEC scams can help teams better recognize the red flags.

Domain Spoofing

In domain spoofing attacks, bad actors create email addresses that look like those of legitimate suppliers, partners or colleagues. For example, these lookalike domains may have added, removed or substituted just a single letter. Their emails often also copy brand elements like logos, font, color and email signatures to appear more authentic.

Some hackers may even go as far as creating live websites that mimic real supplier or partner sites,
adding another layer of legitimacy to fool cautious employees who are trying their best to verify a suspicious email.

Social Engineering

Another common tactic is manipulation, where hackers pose as a store manager or supplier executive requesting urgent payment.

Often, these attacks lean into personal authority, using urgent or even angry language to pressure employees into acting quickly. In some cases, serious hackers spend weeks building up rapport through emails to gain an employee’s confidence before making a fraudulent payment request.

Unfortunately, these attacks are becoming more common, with a recent report showing that BEC scams made up 58% of phishing attacks in Q3 2024, of which nearly 9 in 10 involved impersonation of authority figures, like CEOs and IT staff.

Compromised Accounts

BEC scams can extend beyond impersonation. Some attackers succeed in gaining direct access to a supplier’s actual email system, often through another phishing attack or by taking advantage of cybersecurity hygiene mistakes like password reuse.

From there, the hacker can monitor real-time communications with employees and then capitalize on a ripe opportunity to send a fraudulent invoice or alter payment details on a legitimate order.

These scams are particularly dangerous because the emails come from authentic domains, which means even the most security aware staff can still be tricked.

Common BEC Scams Hardware Stores Should Know

BEC scams are designed to look run-of-the-mill and ordinary, so it helps to know the warning signs. These are three common scenarios hardware store owners should be prepared to spot.

Fake Supplier Invoice

An attacker spoofs a trusted vendor’s email and sends what looks like a routine invoice. The formatting, logo and tone match previous communications, but crucially, the bank account details have been changed.

To reduce suspicion, the invoice may include a note that the supplier has “updated” their payment process. If the payment goes through, it’s the hacker who makes off with the funds.

Red flag to watch for: Be wary of sudden bank changes. Always verify requests using a trusted contact method like a phone call outside of email.

Executive Impersonation

An attacker poses as the store owner or manager and emails or calls an employee with an urgent payment request. These messages often arrive outside regular hours and lean into a sense of authority to create stress and pressure employees into processing payments fast without following typical approval protocols.

Red flag to watch for: Unusual timing and urgency from leadership should be concerning. Train employees to reject requests to bypass normal approval procedures, even when they

appear to come from executives.

Customer Order Scam

An attacker pretends to be a customer placing a special order, and they even make a payment with a real credit card. But soon after, they request a refund—with the funds directed to a different account. What the employee doesn’t know is that the attacker has already “reported fraud” to their credit card company, who reverses the original charge, leaving the store covering the refund 100% out of pocket.

Red flag to watch for: Never send refunds to accounts that differ from the original payment method.

BEC scams succeed because they blend into the everyday flow of business. They look like regular emails, use trusted names and rely on urgency to override caution. For hardware stores managing frequent vendor, partner and customer interactions, the risk is significant—but defense starts simply with awareness and preparation.

Often, the most effective defense is resource- and community-building. By partnering with industry consortia, like RH-ISAC, hardware retailers can exchange threat intelligence, share best practices and access tools to support staff training.

With clear protocols and a community of shared knowledge, hardware store employees can move from being easy targets to a strong first line of cybersecurity defense.