Business Email Compromise - Protecting Your Account
Business Email Compromise (BEC) scams occur when an attacker hacks into an e-mail account and impersonates the account owner to defraud the company, its customers, partners, and/or employees into sending money to the attacker’s account or providing sensitive information. After the cybercriminal gains access to email accounts, they typically use inbox rules or change the reply-to address so that the account owner will not be alerted when the scam is executed.
BEC scams have resulted in companies losing billions of dollars. But as sophisticated as the fraud is, there is an easy solution to thwart it: face-to-face or verbal communications.
Other Ways to Protect Yourself from BEC – Tips from the FBI
- Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially wary if the requestor is pressing you to act quickly.
How Does Email Compromise Happen?
A scammer might do any of the following:
- Spoof an email account or website. Slight variations on legitimate addresses ([email protected] vs. [email protected]) fool victims into thinking fake accounts are authentic.
- Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.
If you or your company fall victim to a BEC scam, it's important to act quickly. Contact your bank and local authorities to report the crime.