Business Email Compromise (BEC) is one of the most financially damaging online crimes in which an attacker targets a business using email to defraud the company.
Cybercriminals send emails that look like they're coming from a member of your trusted network – someone in a leadership position such as a manager or CEO, a business partner, vendor, or someone that you otherwise trust. These phishing emails are an attempt to gain access to critical business information or extract money through email-based fraud and it can result in significant financial loss to a company.
Many businesses rely on email to conduct their day-to-day activities and as more and more business activity goes online, there's an increased opportunity for cybercriminals to target people in BEC attacks and other cybercrimes. How can you protect your business? We’re breaking down common BEC scams, steps you can take to spot and prevent a scam and how to report it if it does happen.
Why is this such an area of concern?
The FBI has seen an increase in the frequency, the complexity and the amount of loss associated with this crime over the last several years. In 2019, the FBI’s cybercrime report indicated that Business Email Compromise attacks resulted in approximately $1.7 billion in losses, accounting for almost half of all losses due to cybercrime at the time. In 2021, they reported that 68% of business were targeted by BEC scams and received complaints totaling more than $2.4 billion in actual losses.
As people become aware of existing schemes, they’re no longer as effective, the tactics and techniques used by cybercriminals evolve. You’re dealing with an adversary that is constantly looking for new ways to victimize people. We’ve moved past the days when phishing attacks were largely bulk delivered in an indiscriminate way. These actors are engaged in significant research and reconnaissance. They often specifically target corporate officers and other executives in ways that illustrate a level of sophistication and diligence that’s well beyond what was initially seen in early schemes.
Protecting Your Business
- Be mindful of what information you share online. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
- Don’t click on or download anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate. It’s always dangerous to seek confirmation by email, because you may be inadvertently communicating directly with the criminal.
- Be sure to carefully examine the email address, URL, and spelling used in a suspicious email. Scammers use slight differences to trick your eye and gain your trust. Also look at the urgency of the request. Very frequently, phishing campaigns will have urgency to the ask and promise dire consequences if you don’t act promptly – something along the lines of “confirm your credentials or your account will be turned off.” Any of these out-of-the-ordinary requests should be a red flag for the recipient.
- Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
What can you do if you think you have been compromised?
If you or your company fall victim to a BEC scam, it’s important to act quickly:
- Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.
- Next, contact your local FBI field office to report the crime.
- Also, file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
For more information, browse our business security resources.