Insights

Picture of Tim Hadley

Business Email Compromise, also known as BEC, is a sophisticated scam that targets businesses of all types and sizes. It is carried out when a fraudster compromises a legitimate business email account. This can be done through social engineering or often through computer hacking. Their ultimate goal is to deceive someone within your organization and get them to transfer funds or provide sensitive data.

Business Email Compromise (BEC) attacks cost organizations an estimated $1.77 billion in losses in 2019, reports the FBI, which received a total of 23,775 complaints related to this threat. Only a fraction of those funds were successfully returned. The rest was unrecovered and the businesses took a loss.

What can you do to protect yourself and your company? 

There are cost-effective ways to protect yourself and your company without sacrificing efficiency in operations. The most effective way is to verify funds transfer requests or information sent to you by email. Use an alternate form of communication such as phone or text to contact the requester. It is important to use a known number and not a number provided in the email.

What are some red flags to watch out for?

Look out for any urgent or last minute requests. Fraudsters try to get the target to act before they have time to think.

Phone requests
Some requests may try and have you contact a different phone number than the one you already know. They may also say they are unavailable by phone.

Secret/confidential
An uncharacteristic request for secrecy or confidentiality is a warning sign. The fraudster doesn't want the target to share the request because they might be warned of a scam.

Formal names
Names used are formal, such as Robert, Christopher or James when your contact typically uses Bob, Chris or Jim.

Email address
Email addresses are misspelled. Look for signs of a letter being used for a number or vice-versa, such as an "L" being substituted for a "1" or a zero for the letter O. Look for extra or missing letters within the email address.

Time of day
Was the email sent during odd hours? Sometimes the email time and date stamp from a fraudster can be significantly different than the person believed to be sending the email.

Poor grammar
Pay attention to odd wording, such as the use of “kindly” in place of “please” or an improper use of prepositions.

Does it make sense?
Imagine an email from a long-time Hong Kong-based vendor requesting their payment be directed, not to their normal Hong Kong bank, but instead to a bank located in the UK. Why would a Hong Kong company use a bank in the UK?

Protecting your organization

BEC is a prolific scheme that is ever evolving, so it's important to ensure employees are aware of BEC scams BEFORE they receive a questionable email. Have ongoing training in place and regularly review processes. For example, implement and review policies to require verification of email requests for fund transfers.

Simply being aware of this scam, and verifying requests for fund transfers, will go a long way to protect your organization from loss associated with Business Email Compromise.

I think I’ve been the victim of BEC – what do I do now?

If you suspect your business email has been compromised:

  • Immediately notify your other online banking users and urge them to not transmit any payments that were authorized by an email instruction.
  • Implement dual approvals for ACH and wire transfers in your online banking platform, where available.
  • Contact the financial institution(s) you use to send electronic payments to notify them of the compromise and to review recent payments for legitimacy.

If you find funds have been transferred to a fraudulent account, it is essential to act quickly.

  • Immediately report the fraud to the financial institution(s) from which funds were fraudulently transferred.
  • Request that your financial institution(s) contact the corresponding financial institution where the fraudulent transfer was sent.
  • Contact your local Federal Bureau of Investigation (FBI) office if the wire is recent. The FBI, working with the U.S. Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
  • File a complaint, regardless of dollar loss, with www.ic3.gov or, for BEC victims, bec.ic3.gov.

Improve your business' security capabilities

Old National Treasury Management can help with our customized suite of online cash management resources called ONPointe.TM


Tim is Product Innovation Director, VP, for Old National Treasury Management. He has a background in sales, product and project management - specializing in treasury management solutions, merchant card processing, corporate cash and retail banking.

This content is not intended to provide legal, tax, accounting, financial or investment advice or indicate the suitability of any product or service for your unique circumstances. You are encouraged to consult with a qualified legal, tax, accounting, financial or investment professional based on your specific circumstances. We do not make any warranties as to accuracy or completeness of this information, do not endorse any third-party companies, products, or services described here, and take no liability for your use of this information.
Back to top