Business Email Compromise, also known as BEC, is a sophisticated scam that targets businesses. It is carried out when a fraudster compromises a legitimate business email account. This can be done through social engineering or often times by computer hacking. Their ultimate goal is to deceive someone within an organization and get them to transfer funds or provide sensitive data.
An effective Business Email Compromise attempt may involve an infected computer system. Hackers gain access through malware delivered by email to an employee. They do this through the illegal online purchase of compromised user credentials or through social engineering of an employee. Once the email is compromised, the scenarios vary. Here are a few of the common ones.
A company’s CEO or controller’s email accounts are hacked or spoofed and fraudulent emails are sent within the company requesting wire payments. The employee assumes the request is legitimate and authorizes a funds transfer.
Vendor email accounts are compromised and payment instructions for legitimate invoices are changed to the fraudster-controlled account. Based on the email from the fraudster, the company pays the legitimate invoice to the fraudster’s account.
Attorney ScamScammers pose as lawyers or law firms requesting secret, time-sensitive wires, such as a
confidential purchase of a business or other assets. The employee authorizes the funds transfer to the fraudsters account believing they have performed a legitimate confidential transaction.
Fraudsters pose as a title company or realtor with the intent of misdirecting funds associated with a legitimate real estate closing. The target receives an email with wire instructions for a legitimate real estate transaction. Upon authorization, the wire goes to the fraudster rather than the appropriate account.
While many Business Email Compromise scams focus on transferring funds, some may target organizations, such as schools, daycares, hospitals and assisted living facilities for the purpose of obtaining Personally Identifiable Information. This includes social security numbers, date of birth, or wage and tax information that can be used in future scams.
How do you respond to a BEC?
To prevent the loss of funds and information, always verify requests through a phone call or a text at a number known to you, not one supplied in the email. According to the FBI, only one-third of Business Email Compromise frauds have some amount of funds returned, leaving over 66% unrecovered. After discovering a fraud, it is important to act quickly to improve the chance of recovery.
Your first step is to immediately contact your bank and request a wire recall.
Second, contact a cybersecurity professional. They should be able to determine the point of compromise, network security status and whether the email was spoofed or hacked.
Third, change your email and online banking passwords from a known safe network.
Next, report the crime to both your local FBI office and to www.ic3.gov.
Prepare to be targeted again. Review internal policies and processes. Work with your bank and cyber security professional to mitigate losses if targeted again. Fraudsters sometimes think if it worked once, it will work again.
More ways to secure your information
Our online security center provides additional actions individuals and businesses can take to protect against fraud.
Copyright © 2019 ONB