Defend Yourself Against Wire Fraud and CEO Email Scams

Business email compromise scams (BECs) typically combine spear phishing, email spoofing, social engineering, and occasionally malware, and have steadily grown into a prolific problem for businesses of all sizes, resulting in massive losses to the tune of several billion dollars.

Here’s the breakdown on what each does:

  • Malware: Used to infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to minimize suspicions of an accountant or financial officer when a request for a fraudulent wire transfer is made.  Malware also allows criminals undetected access to a victim’s data, including passwords and financial account information.
  • Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the perpetrators.
  • Spoofing e-mail accounts and websites: Slight variations on legitimate addresses ( vs. fool victims into thinking fake accounts are authentic. Then, the criminals direct email responses to a different account they control.

Of the increasing amount of BECs, they are often CEO spoofing emails aimed at wire fraud. CEO email fraud is a scam in which a series of bogus emails from a company’s CEO, CFO or other senior executive is sent to persuade the targeted employee to quickly transfer funds into fraudulent accounts in a manner that bypasses the usual safeguards.

Here are a few ways you can safeguard your business:

  • Regularly update malware protection on any device used for online banking and perform scans on a periodic basis.
  • Add additional two-factor authentication to verify changes in vendor payment location, such as having secondary sign-off by company personnel or using phone verification to confirm requests for transfers of funds (use previously known numbers, not the numbers provided in the email request).
  • Create intrusion detection system rules that flag emails with extensions similar to company email. For example, legitimate email of would flag fraudulent email of Also, flag emails where the "reply" email address is different from the “from” email address.
  • Color code virtual correspondence, so emails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.
  • Exercise restraint when publishing information about employee activities online (ex. company websites or social media accounts) which can provide valuable information for attackers who perpetrate these types of schemes.
  • Carefully scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary. If it doesn’t seem right, it might not be right — so double-check.

If you or your company fall victim to a BEC scam, it's important to act quickly. Contact your bank immediately and request they contact the financial institution receiving the fraudulent transfer. Next, call the FBI, and also file a complaint—regardless of dollar loss—with the FBI's Internet Crime Complaint Center (IC3). To learn more this and other cyber scams, visit our Fraud Center.