Fraud Protection Guide: Business Email Compromise and How You Can Stop It

Types of business email compromise

In a BEC scam, the fraudster impersonates or hacks the business email address of a trusted source, such as an executive of the company. The fraudster then emails someone within the company to send payment or confidential information. Often the fraudster can deceive the victim into releasing large payments via ACH or wire transfers.

The FBI defines five major types of BEC scams:

• CEO fraud: Fraudsters position themselves as the CEO or executive of a company. They typically email an individual within the finance department, asking for funds to be transferred to an account controlled by the fraudster.
• Account compromise: After hacking an employee’s email account, fraudsters use the hacked email account to request payments to vendors. Payments are then sent to fraudulent bank accounts owned by the fraudster.
• False invoice scheme: Fraudsters act as if they are a supplier to the company and request fund transfers to fraudulent accounts.
• Attorney impersonation: Fraudsters impersonate a lawyer or legal representative. Lower-level employees are commonly the target of this type of attack because they wouldn’t know to question the validity of the request.
• Data theft: Fraudsters typically target HR employees to obtain personal information about individuals within the company, such as the CEO or other executives. They can later use the data in future attacks, such as CEO fraud.

What methods do fraudsters use in a BEC scam?

There are a few common ways fraudsters carry out BEC scams: spoofing, spearphishing and malware.

With spoofing, the fraudster uses a fake email account or website address that looks very similar to a legitimate address or URL. Slight differences (e.g., [email protected] versus [email protected]) trick victims into thinking the fake accounts are real.

In spearphishing emails, fraudsters send messages that look like they’re from trusted senders. They email individuals at a business to get them to reveal confidential information. The information shared can provide fraudsters the details they need to carry out a BEC attack, such as company account details, calendars and other data.

Fraudsters use malicious software, known as malware, to gain access to company networks and real email threads that disclose billing and invoice details. With that information, fraudsters can time messages to seem more authentic so that employees don’t question payment requests. Malware can also give fraudsters access to passwords and account information. In sophisticated operations, fraudsters can clone the company’s server and act on its behalf.

What are the warning signs of business email compromise?

Although BEC scams are designed to be tricky to detect, they tend to share common characteristics that you can learn to spot. Urgency, changes from past payments, and errors in the text of the email are common red flags of BEC.

Here are the signs to watch for:

• Payment information is different from the last payment issued: Often fraudsters intercept an email, edit it to include a change to payment instructions, and then send the revised email to the originally intended recipient. Proceed with caution if you are asked to change the name or address on a payment, the payment type (check versus ACH versus wire), pricing details, or whether to process it as a domestic or international payment.
• Unusual payment amounts or vendor types: Identify whether payments to a particular vendor have suddenly ballooned compared to past amounts paid to that vendor. Be cautious about payment requests to vendors that don’t seem to fit the parameters of the business.
• Email verbiage changes, typos and bad grammar: Read through the email chain to identify noticeable changes to the greeting or tone used. Typos, grammatical errors and odd sentence structures are common signs of a scam. Simple cut-and-paste verbiage or spacing gaps could indicate the email has been recycled from another BEC scheme.
• Quick payment turnaround: If a requestor presses you to act quickly or threatens repercussions if deadlines are not met, that’s a major red flag.

What to do if you suspect business email compromise

A simple phone call can help your business avoid losing money due to BEC. Always verify payment requests, account changes or new payment procedures by calling the person directly at the number listed on the account. You could also look up the company’s phone number on your own, but do not call a phone number from an email request—it could be the fraudster answering the call. Do not accept email requests in lieu of a phone call.

You and your employees should be especially mindful of what you share online, including on social media. Pet names, schools you attended, links to family members or birthdates are commonly used in passwords or as answers to security questions. By openly sharing these details, you could be handing out all the information a fraudster needs to gain access to your computer, device or server.

Don’t click on anything in an unsolicited email or text message that asks you to update or verify account information. Carefully examine the email address, URL and spelling in any correspondence. Fraudsters use slight differences to trick your eye and gain your trust or hedge on the fact that you won’t fully validate. You should never open an email attachment from someone you don’t know.

Set up two-factor or multifactor authentication on any account that allows it, and never disable this authentication. Do not share the information with anyone who asks for it. If there is an issue with the account, call the company directly for assistance or verification.

The bottom line: If something doesn’t feel right, trust your gut and ask questions. If you realize you have fallen victim to a BEC scam, report the incident immediately to your financial institution and your local FBI field office.