Phishing Scam: Business Email Compromise (BEC)

The Business Email Compromise (BEC) scam can be one of your business’s most financially damaging frauds. BEC is designed to target an individual or small group instead of a large group. This phishing scam is where the fraudster impersonates or compromises an executive’s or other known individual’s email to manipulate the business target into initiating a wire, ACH, or another type of transfer. Once the fraudster is in, they can create email rules and control previous emails.

The common scenarios of BEC attacks are:

• Foreign Supplier: This is also known as “The Bogus Invoice Scheme.” The fraudster pretends to be a vendor requesting payment for services performed for your company. This type of attack will often appear as one of your vendors. The fraudster will use a realistic template but change the bank account information to an account controlled by the fraudsters.
• CEO Fraud: The fraudster will send an email that appears to be from the CEO and request a wire transfer, or a similar transaction, from the compromised account.
• Account Compromise: Like the CEO Fraud, this is when the business or personal email of an Executive or employee is hacked and used to send invoice payment requests to your business vendors.
• Attorney Impersonation: The fraudster impersonates an attorney via email or a phone call. They typically do this scam at the end of a business day to pressure employees to act quickly.
• Data Theft: This scenario happens when fake requests are sent to departments in charge of sensitive and important information. The fraudster could target Human Resources for personally identifiable information (PII) or the accounting department for W-2s.

Businesses of all sizes can be a target for a scam like this. One of the biggest BEC scams cost Facebook and Google around $121 million over a two-year period. According to the FBI, the tips below can help you protect yourself:

• Be careful with what personal information you share online or on social media. Sharing personal things like pet names, schools, links to family members, and your birthday, scammers can have enough details to answer your security questions or guess your password.
• Be cautious and avoid clicking on unsolicited emails or text messages asking you to verify or update account information. Don’t use the contact information the potential scammer provides. Instead, look up the company’s phone number on your own. Call the company directly to ask if the request is legitimate.
• Carefully review the URL, email address, and spelling used in any communication. Fraudsters use slight and often unnoticeable differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment or click on a link from someone you don’t know. Additionally, be wary of email attachments forwarded to you from people you don’t know.
• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. Verify any change in payment procedures or on an account directly with the person making the request.
• Be especially wary if the requestor is pressing you to respond or act quickly.

If you think you’ve been a part of a BEC scam, please call your bank immediately. Then you should follow up with your local FBI field office and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).