Business Email Compromise
Business email compromise (BEC) is among the most financially damaging cyber scams around. While the scenarios vary – imagine you as a business owner receive an email that appears to come from a known vendor or valued client appearing to make a legitimate request. The cybercriminal poses as a trusted figure and then asks for a fraudulent bill to be paid or requests sensitive data they can use in another scam.
Some examples of this are:
• A vendor your company regularly deals with sends an email or “phish” requesting you to update ACH information
• The CEO of your company sends an email requesting you to purchase gift cards to send out as employee rewards or client gifts, specifically asking for the serial numbers to they can be emailed out right away.
• A homebuyer receives an email or phone message from his mortgage company to wire his down payment.
• An employee receives a phone call from what appears to be an office number, and it’s their manager asking them to make a last-minute wire. Artificial intelligence is making these phone scams more common, using the technology to clone voices.
Different versions of these scenarios have happened to real people over the last several months – all being fraudulent requests. With each case, hundreds and sometimes thousands of dollars were sent to criminals, unable to be traced or recouped.
There are several ways cybercriminals carry out these scams:
• Spoofing an email account or website. They will make slight variations on legitimate addresses. For example – email@example.com vs. firstname.lastname@example.org can fool victims into thinking fake accounts are authentic.
• Send emails that look like they are from a trusted sender to trick the receiver into revealing confidential information.
• Using malicious software, known as malware, criminals can infiltrate company networks and gain access to legitimate emails threads about billing and invoices. The malware allows criminals to gain undetected access to a victim’s data, including passwords and financial account information.
• Vishing or phone scams use computer-generated voices created with the help of artificial intelligence. Numbers can also be masked to appear to be coming from a legitimate source.
Steps to take to protect yourself and your business:
• If you receive an unexpected phone call or email requesting any kind of financial transaction or update to usual transaction procedures, always call the contact or vendor directly to verify the authenticity of the request.
• Create a culture of cybersecurity and fraud awareness for your employees by offering ongoing training and education.
• Consult with a Cybersecurity Insurance Specialist to learn about available options to protect your business should an act of fraud occur.
• If the requestor is pressing you to act quickly, it is likely a scam. Contact the actual company to confirm any requests and make them aware of the incident.
• Carefully look at the email address, URL, and check for any spelling errors throughout the message. Scammers tend to use slight differences to trick your eye.
• Never open an email or text link attachment from someone you don’t know and be careful of any attachments forwarded to you.
• Before you click on anything to verify or update account information, call the company directly to ask if the request is legitimate. Don’t use the phone number provided in the email or text, look up the company’s phone number on your own to verify.
• Set up two-factor authentication on all accounts that allow it and make sure to use passwords strong using at least 15 characters, numbers, symbols. Update regularly, and do not reuse passwords across your business and professional accounts.
• Be cautious of the information you share online or through social media. Simple things like sharing your pets name, past schools, family members, or your birthday can give a scammer all the information they need to guess your password or answer security questions.
How to Report these Scams:
If you or your company think you’ve been a victim of any business email scam, it’s essential to act quickly. Contact your financial institution and request they contact the institution where the transfer was sent.
You can file a formal complaint or report a scam or consumer issue directly with the Federal Trade Commission (FTC) here. https://reportfraud.ftc.gov/#/
You can also report stolen identities and finances to the FBI’s Internet Crime Complaint Center here. https://complaint.ic3.gov/default?
For additional information on some of the trending instances fraud cases, visit our Fraud Awareness section.