Business Email Compromise

Any company, large or small, can be a target. More than 3 in 4 organizations received a suspected BEC email in 2021 and nearly half were targeted more than 10 times, according to a survey by cybersecurity company Proofpoint of working adults in the U.S. and six other countries.

And these schemes don’t just abuse businesses: According to the FBI, many BEC gangs also perpetrate romance and work-at-home scams to recruit unwitting “money mules,” manipulating victims who believe they've found love or a great job opportunity into opening bank accounts to hide or launder fraud proceeds.

Warning Signs

• You receive an email from a higher-up ordering you to quickly process an invoice, change the recipient of a payment or provide sensitive documents.
• The message is brief, urgent and presses you to bypass normal policies and procedures.
• The sender says he or she is traveling, and the signature indicates the email came from a mobile device.
• The email comes from a Gmail, Hotmail or other personal account rather than an organizational account.
• Someone you’ve become close to online asks you to open a bank account for the purpose of receiving or sending them money.

How to protect yourself from this scam

• Do check with an executive by phone or in person to verify a request to send money or provide personnel records.
• Do verbally confirm emailed instructions from a vendor or supplier to change payment methods or bank information. Call them on a known contact number.
  
• Do carefully check the sender’s email address. Scammers may slightly vary a genuine address, adding a letter or changing punctuation, to make it seem legit on first glance.
• Do train staff on the BEC threat and how to spot spoofed and spear-phishing emails.
• Do immediately contact your financial institution if you discover a fraudulent transfer. It may be able to recall the funds.
• Do verify a request from someone involved in a property transaction to change a payment type (for example, from check to wire transfer) or bank data. Do so in person or by phone, not by email.
• Do save all emails and other evidence of a BEC attack to provide to authorities.

• Don’t act on a request to send money or sensitive employee information without confirming that it’s authentic.
  
• Don’t reply to a suspicious email. Speak directly to the person the sender claims to be, or forward it to a known email address for that person.
• Don’t call a phone number listed in the suspicious email. Contact the actual person on a number you know to be legitimate.
• Don’t click on links or open attachments in a suspicious business email. It could unleash malware.
• Don’t open a new bank account at the behest of someone you’ve forged a relationship with online or as part of a supposed work-at-home opportunity.

More Resources

• If you’ve been targeted or victimized by a BEC scam, report it to the FBI’s Internet Crime Complaint Center (IC3).
• Forward W-2 phishing emails to the Internal Revenue Service at phishing@irs.gov. 
• If a BEC attack results in a data loss, follow the IRS’s instructions for reporting the theft and protecting employees. Contact the Federation of Tax Administrators at StateAlert@taxadmin.org for information on reporting the loss to state authorities.
• IC3 recommends office policies and IT strategies to reduce the BEC threat, as does the Financial Services Information and Analysis Center, a finance industry group that monitors cybersecurity and other threats.