Avoid Falling Victim to Business Email Compromise (BEC)

Business email compromise (BEC) is a sophisticated scam in which fraudsters pose as a trusted source and trick individuals and businesses into sending money or sharing sensitive information. The victim believes they are conducting a legitimate transaction, though in reality it is fraudulent.

Five types of BEC to watch out for:

1. CEO Impersonation: A fraudster impersonates a CEO, CFO, or another executive of a company by creating a fake email address that often looks legitimate or by hacking a real user’s account. Using this email address, they ask an employee to transfer funds to a bank account controlled by the fraudster.
2. Account Compromise: An employee of a company has their email address compromised. The account is then used to request, initiate, or authorize the transfer of funds to a bank account controlled by the fraudster.
3. False Invoice Scheme: A fraudster pretends to be a supplier by compromising the supplier’s email system or sending a spoofed email on behalf of a supplier. They use the account to request fraudulent payments or change payment instructions.
4. Attorney Impersonation: A fraudster claims to be an attorney and issues a fraudulent request warning of the consequences of noncompliance, including the prospect of litigation. Employees at lower levels are commonly targeted with this scheme.
5. W-2 Form and Other Data Theft: A fraudster targets a company’s HR department to obtain an employee’s W-2 tax form or other personally identifiable information, which can then be leveraged in a future attack. Executives are frequently targeted in this type of scheme.

Although these are commonly used schemes, fraudsters use many tactics. This is not an exhaustive list of all BEC scams you might encounter.

How to identify BEC

Spotting BEC scams before losses are incurred can be as simple as knowing what to look for. Malicious emails may often contain strange phrases, syntax, fonts, date formats, misspellings in the domain or name of the purported sender. The FBI outlined a few indicators that should draw suspicion:        

• Unexplained urgency.
• Last-minute changes in payment instructions or recipient account information.
• Last-minute changes in established communication platforms or email account addresses.
• Communication only in email and refusal to communicate via telephone or online voice or video platforms.
• Requests for advance payment of services when not previously required.
• Requests from employees to change direct deposit information.
• Strange requests to do something outside of the approved policy or procedure.

Ways to help guard against BEC

Help combat BEC scams by becoming familiar with the various tactics and taking precautions before and after receiving payment requests.

Before your business receives a payment request:

• Implement a dual approval requirement and limit the number of people who have the authority to send money.
• Establish intrusion detection rules that flag emails from addresses with domain names similar to the company’s domain name and where the reply address is different from the email address shown.
• Utilize callback thresholds for monetary transactions.
• Avoid sharing confidential information before confirming you are communicating with a trusted source.
• Work with vendors on a secure process to receive and verify payment instructions.

After your business receives a payment request:

• Perform a callback to a known client number (not the number in the request).
• Carefully review all email requests, especially if they provide new payment instructions. 
• Avoid replying to suspicious emails.
• Avoid clicking on links or opening attachments if you do not recognize the sender.
• Exercise additional scrutiny and verify changes with a secondary sign-off if changes are made to a payment request.

Your security is our top priority. We will never contact you to ask for your financial or personal information, nor will we ask a third party to log in to your computer. If you receive a message requesting confidential information that claims to be from us, do not click any links and contact us immediately. It is critical to share this information with your team and continue to foster a vigilant workforce with regular training to help safeguard your business.