November 18, 2022
What is Business Email Compromise (BEC)?
Business Email Compromise exploits the fact that so many of us rely on email to conduct both personal and professional business. In a Business Email Compromise scam, criminals send an email message that appears to come from a known and trusted source, making what appears to be a legitimate request. Here are some examples of BEC:
- A vendor your company regularly deals with sends an invoice with an updated mailing address.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
- A title company receives updated wire instructions for a settlement.
Also known as Email Account Compromise (EAC), it is one of the most financially damaging online crimes.
In 2021, the FBI’s Internet Crime Complaint Center reported record losses due to BEC of more than $2.4 billion in nearly 20,000 incidents. And that amount only represents what was reported to the FBI. Business Email Compromise fraud losses accounted for 35% of all reported cybercrime-related financial losses.
How Do The Criminals Do It?
- Man in the Middle: Intercepting legitimate emails, particularly those for invoices or payment, and changing wire instructions.
- Phishing Attacks: Purporting to be a member of the company or a legitimate vendor and requesting wire transfers to be sent; there is usually some sense of urgency about these requests.
- Email Spoofing: By creating an email address that is very similar, scammers can trick victims into thinking fake accounts are authentic.
- Malware: Malicious software can infiltrate company computer networks and gain access to legitimate email threads about billing, invoicing, or settlements.
What Can You Do To Protect You and Your Company from BEC?
- Don’t click on anything in an unsolicited email asking you to update or verify account information. Look up the company’s contact information on your own and find out if the request is legitimate.
- Carefully examine the email address, URL, and signatures in any email correspondence, and hover over the “From” email to see if the “Reply To” email matches that "From" email.
- Read the email carefully, looking for spelling, grammar, or syntax errors.
- Never open an attachment or click on a link from someone you don’t know and be wary of any attachments forwarded to you.
- Verify any payment requests in person or by calling the requestor using the number you have on file for them to verify all payment instructions before sending the payment. Ensure that the intended beneficiary has verified the payment instructions.
- Be especially wary if the requestor is pressuring you to act quickly or to change your standard procedures for any reason. Additionally, if they tell you they cannot be reached by phone, that is a red flag.
- Set up multi-factor authentication on any account that allows it, and never disable multi-factor authentication.