Chief Risk Officer at Byline Bank
The next time a client or vendor emails you to initiate a payment or change payment instructions, slow down. Do you know the request is legitimate? Even if the email seems genuine, you should stop to consider if your client or vendor could have been victimized in a business email compromise (BEC) scheme.
BEC is a type of cybercrime in which fraudsters use email to defraud a business. These types of attacks are costly to businesses and increasing in number. According to an FBI report, there were 241,000 BEC attacks recorded from 2016 to 2021. Those incidents cost victims more than $43 billion.1 Additionally, global cyberattacks increased 38% in 2022 compared to 2021, according to Check Point Research.2
Protecting your business starts with education. In this article, learn what business email compromise is and some steps you can take to help prevent a monetary loss if you, your clients or your vendors are targeted.
In a BEC scam, the fraudster impersonates or hacks the business email address of a trusted source, such as an executive of the company. The fraudster then emails someone within the company to send payment or confidential information. Often the fraudster can deceive the victim into releasing large payments via ACH or wire transfers.
The FBI defines five major types of BEC scams:
There are a few common ways fraudsters carry out BEC scams: spoofing, spearphishing and malware.
With spoofing, the fraudster uses a fake email account or website address that looks very similar to a legitimate address or URL. Slight differences (e.g., [email protected] versus [email protected]) trick victims into thinking the fake accounts are real.
In spearphishing emails, fraudsters send messages that look like they’re from trusted senders. They email individuals at a business to get them to reveal confidential information. The information shared can provide fraudsters the details they need to carry out a BEC attack, such as company account details, calendars and other data.
Fraudsters use malicious software, known as malware, to gain access to company networks and real email threads that disclose billing and invoice details. With that information, fraudsters can time messages to seem more authentic so that employees don’t question payment requests. Malware can also give fraudsters access to passwords and account information. In sophisticated operations, fraudsters can clone the company’s server and act on its behalf.
Although BEC scams are designed to be tricky to detect, they tend to share common characteristics that you can learn to spot. Urgency, changes from past payments, and errors in the text of the email are common red flags of BEC.
Here are the signs to watch for:
A simple phone call can help your business avoid losing money due to BEC. Always verify payment requests, account changes or new payment procedures by calling the person directly at the number listed on the account. You could also look up the company’s phone number on your own, but do not call a phone number from an email request—it could be the fraudster answering the call. Do not accept email requests in lieu of a phone call.
You and your employees should be especially mindful of what you share online, including on social media. Pet names, schools you attended, links to family members or birthdates are commonly used in passwords or as answers to security questions. By openly sharing these details, you could be handing out all the information a fraudster needs to gain access to your computer, device or server.
Don’t click on anything in an unsolicited email or text message that asks you to update or verify account information. Carefully examine the email address, URL and spelling in any correspondence. Fraudsters use slight differences to trick your eye and gain your trust or hedge on the fact that you won’t fully validate. You should never open an email attachment from someone you don’t know.
Set up two-factor or multifactor authentication on any account that allows it, and never disable this authentication. Do not share the information with anyone who asks for it. If there is an issue with the account, call the company directly for assistance or verification.
The bottom line: If something doesn’t feel right, trust your gut and ask questions. If you realize you have fallen victim to a BEC scam, report the incident immediately to your financial institution and your local FBI field office.