How to Recognize Business Email Compromise Scams (BEC)
When the FBI released its 2018 Internet Crime Report, the first “hot topic" mentioned in the report was Business Email Compromise (BEC).1
BEC is a growing problem specifically aimed at businesses and their employees. Just how big a problem? According to the Financial Crimes Enforcement Network, BEC scams generated more than $300 million per month for criminals in 2018.2
What is Business Email Compromise?
In a BEC scam, a fraudster sends an email — from an address that appears to be real — to someone in the target organization. In the email, the scammer directs the recipient to send a large payment, usually via wire transfer, to an account the fraudster owns.
You may think BEC scams would be easy to detect. After all, most organizations have a system of checks and balances to help prevent unauthorized transactions. But like most scams, there's a lot more to it.
BEC is effective because it's usually part of a long-term plan. Unlike other email scams that target a large number of potential victims hoping a few will click on an infected link or enter sensitive information, BEC scammers take their time. Once they've identified a target organization, they may penetrate the company email system,3 study the operations and company hierarchy,4 learn about company procedures, and even familiarize themselves with travel plans of company executives.
Eventually, someone in the company's financial department will receive a very legitimate-looking email that appears to come from the company's CFO, CEO, or another executive, asking for an immediate transfer of funds. The email may contain some valid information and even resemble language commonly used by the company to make it appear legitimate. And because the alleged sender of the email is on a plane or otherwise unavailable to confirm the wire transfer verbally, the money is gone before anyone in the organization realizes it was a scam.
Did you know? Regular security awareness training for employees is the best defense against Business Email Compromise.
How to recognize and avoid Business Email Compromise
How can you stop BEC before it affects your organization?
- Educate your staff. Educate all employees with any financial authority about scams like BEC. Fraud techniques are continually evolving, so security awareness training is not a one-time event. It needs to be ongoing to keep up with emerging issues.
- Review existing procedures. Consider new policies for approving unexpected payments or wire transfers, such as requiring confirmation for the transaction through some means other than email. For example, you might require the employee to call the executive on their cell phone – to a known number, not one provided in the email asking for the transfer – before initiating the payment. Ensure company executives are on board with these policies and agree not to punish employees who refuse to make exceptions.
- Use a code word. Establish a code word or security question that must be answered before any transfer can take place. This prevents the scammer from calling in with a spoofed number and posing as the executive. And never use the code word in an email, only over the phone.
- Be skeptical. Train employees to be suspicious of any unplanned transfers of money, wire transfers that must happen immediately, or transactions that must be kept a secret from other executives in the organization. Legitimate business transactions can always wait for appropriate verification.
If you do get caught up in a BEC scam, immediately contact your financial institution. You can also file a report with the FBI's Internet Crime Complaint Center (IC3).5 Your bank and the FBI may be able to recover the stolen funds if you notify them immediately.
BEC is a significant threat to businesses of all sizes. Familiarize yourself and your team with the risks of business email scams and make a concerted effort to protect your organization. Then everyone will be better prepared to make good decisions to protect the company.
Important Disclosure Information
This content is general in nature and does not constitute legal, tax, accounting, financial or investment advice. You are encouraged to consult with competent legal, tax, accounting, financial or investment professionals based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
- Federal Bureau of Investigations, “2018 Internet Crime Report." Accessed July 31, 2019. Back
- Financial Crimes Enforcement Network, “FinCEN Exchange Forum Counters Business Email Compromise Scams," published July 16, 2019. Accessed July 31, 2019. Back
- InfoSec, "BEC Attacks: How Email Account Compromise Works," published May 10, 2018. Accessed August 1, 2019. Back
- Federal Bureau of Investigations, "Business E-Mail Compromise," published February 27, 2017. Accessed August 1, 2019. Back
- Federal Bureau of Investigation Internet Crime Complaint Center, "Filing a Complaint with the IC3." Accessed August 1, 2019. Back