Business Email Compromise (BEC)
What is Business Email Compromise?
At its core, BEC relies on the oldest trick used by con-artists: deception. However, the level of sophistication used in this global form of fraud is unprecedented and continues to trick professional business people every day. BEC can take several different forms. In many cases, the scammers target employees with access to company finances and trick them into paying invoices or making payments to accounts they believe belong to trusted partners. In this case, the money then ends up in an account controlled by the criminals.
- Spoofing email accounts and websites: These scams use slight, almost undetectable, variations on legitimate email or web addresses (email@example.com vs firstname.lastname@example.org)
- Spear-phishing: emails that are believed to be from trusted senders in an attempt to access confidential information
- Malware: Used to gain access to company networks and reach into legitimate email threads about billing, invoices, or other finances. Malware can also be used to access a victim's data, including passwords and financial account information
- Social media information: Fraudsters can gain information about employee job roles and duties via social media. When an employee posts on social media that they will be out of the office, this can give criminals the information they need to spoof that employees accounts. These schemes usually consist of an email sent by the compromised employee, from a different email, claiming they cannot access their work email from their current location.
Oftentimes, these fraudulent requests are made with increased urgency. If you feel you are being rushed into making a transfer, completing a wire, or providing other forms of payment, take extra caution. When in doubt call the person making the request, and make sure it is legitimate.
How COVID-19 Has Impacted BEC
The FBI has been tracking Business Email Compromise since 2013, but the uncertainty brought about by COVID-19 has increased its threat. The criminal organizations that commit BEC are continually changing their techniques to exploit unsuspecting victims, and COVID-19 has left many vulnerable. As more and more Americans are working from home, criminals are able to take advantage of the decentralized workplace. Be extremely aware of emails coming from outside of your company domain and do not click on any suspicious links. Confirm any out-of-the-ordinary emails or requests via phone call to your co-workers when working from separate locations.
Cybercriminals are exploiting public fear of COVID-19 by sending emails claiming to be legitimate organizations with information about the coronavirus. Fraudsters are targeting employee email accounts and claiming to have updated workplace policy announcements. Other examples include "CDC Alerts" or emails that falsely claim to have updated virus statistics but really have malicious intentions to access personal and workplace information.
How Can You Prevent BEC?
- Avoid free web-based email accounts. Establish a company domain name and use it to establish company email accounts
- Be careful with what is posted to social media; especially details about job duties, hierarchical information, or out of office notifications
- Look out for common red-flags:
- Unexplained urgency
- Last-minute changes in established communication platforms or email account addresses
- Any communications solely through email with a refusal to speak via telephone or video platforms
- Requests for advance payments when never previously requested
- Requests from employees to change direct deposit information
- Last minute changes in wiring instructions or account information
- Verify changes and information via the contact on file-- not the phone number provided in the email
- Ensure the URL is associated with the company it claims to be from
- Be alert to hyperlinks that contain misspellings
- Consider using the forward option rather than reply. When answering an email, "forward" the email and type in the correct email address to make sure the intended recipient is correct
Information for this article provided by First Financial Bank, cyber experts from Inspired eLEarning, and the FBI.