Business email compromise (BEC) scams have resulted in $26 billion+ in losses (6/16-7/19). If that sounds scary, it should. Especially when you consider:
- In 2018, 80% of businesses received at least one of these emails. (Chances are, your business has received one of the fraud requests.)
- In the first three months of 2019, reports of BEC scams jumped 50% compared to 2018.
How BEC Scams Work
BEC scams typically target employees with access to company finances, sensitive data, or both. Using a spoofed or hacked email account, the scammer poses as a reliable source or authority figure (such as a CEO, CFO, etc.) and asks the employee to wire money or send sensitive information, often for a plausible reason. If money or information is sent, it goes into an account controlled by the fraudster.
Your “Secret Weapon”
The number one (and easiest) weapon you can use to not fall victim to a BEC scam? Confirm requests by phone or face-to-face before acting. Most BEC fraud could probably be stopped if employees who were directed to send money simply called or spoke face-to-face with the person supposedly making the request and ask them to confirm it. In this age of electronic communications, many people may be reluctant to do so; but with so much on the line, it pays to confirm.
In addition to confirming by phone or face-to-face, employees should also be told to:
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials or PINs in response to any emails.
- Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits.
- Keep all software patches on and all systems updated.
- Verify the email address used to send emails, especially when using a mobile or handheld device by ensuring the senders address email address appears to match who it is coming from.
- Ensure the settings on their computer are enabled to allow full email extensions to be viewed.
What to Do If You Have Been Scammed
If you find your company has been a victim of a BEC fraud, immediately call your bank to stop the payment and report it to the FBI.
- As soon as possible, file a complaint regardless of the amount with the FBI's Internet Crime Complaint Center (IC3) or for BEC/EAC victims at BEC.IC3.gov. IC3 also asks people to report unsuccessful BEC attempts, too. Information from attempts may help establish patterns or identify mule bank accounts.
- Report fraud to the Better Business Bureau Scam Tracker at bbb.org/scamtracker/us.