•  A smart pig on a stack of books
  • The ins and outs of Business Email Compromise

    One of the most common types of scams within a business or organization are Business Email Compromises (BEC), also known as phishing. This is when a fraudster poses as someone within your organization, or as an influential individual outside of your organization, to gather sensitive information.

    employee receiving an email notification on their phone

    What is a business email compromise?

    Business email compromises often occur within companies who transact with foreign vendors and suppliers. However, it is not uncommon for this scam to happen with those that don’t. Another tactic used by fraudsters is sending an email posing as a leader or “big boss” within a company. In this situation, the fraudster may send an email asking the employee to wire funds or make a payment with a sense of urgency. This instruction from an executive or upper management may make an employee act quickly without even second guessing the legitimacy of the request. By the time the manager is back in the office and the situation is discussed in person, it is too late to cancel or stop the funds from reaching the account of the poser.

    Here’s what happens in most instances of a business email compromise:

    1. A fraudster will target a company that often transacts with vendors abroad or outside of the organization.
    2. The fraudster will use malware to determine the employees that govern transactions or have access to finances (i.e., executive assistants, accountants, accounts payables).
    3. The fraudster will use the information they’ve collected to send a targeted email posing as a CEO or executive, requesting the individual to make a wire transfer or send a payment immediately. The email will often make the process seem too easy to be true – providing exact payment details so no questions will need to be asked.
    4. The recipient unsuspectingly sends the funds to the account of the fraudster.
    5. The fraudster receives the funds and will launder the stolen money in accounts that are difficult to trace. By the time the breach is discovered, it is nearly impossible to locate and retrieve the funds.

    a hooded fraudster accessing serversOften times, by the time your organization realizes that a business email compromise has occurred, it will be nearly impossible to trace the funds.

    What are warning signs of business email compromise?

    It’s easy to be naïve and think that your employees are too observant to fall for this scam, however, fraudsters are smart and use proven tactics to exploit their victims. Be on alert for the following tactics used by fraudsters:

    • Spoofed email posing as a legitimate sender. Fraudsters pose as individuals within your organization by creating email accounts with similar domains and email addresses. The sender account may be one or two letters off from the actual account, designed to slide through inboxes without even a second thought. For example, if a fraudster is trying to impersonate, CEO Jane Smith of XYZ Investment, they may create an email such as janesmith@ceo.com or janesmith@xyz.com, instead of her actual email of janesmith@xyzinvestment.com. Consider registering website domains that are similar to your own. Even though you’re not actively using them, it may prevent the domain from being used by a fraudster in the future.
    • Messages to send funds with immediacy. If an email is sent with a request for funds and there is a sense of urgency or odd grammar usage, it is a sign of a fraudulent email. Instead of reacting immediately, train employees to do their due diligence when it comes to their inbox.
    • The use of malware. Fraudsters use malware to access your network and scrape for personal and financial information. Make sure your employees know not to download software and online programs to their work computers. If possible, implement network controls that only allows certain people the right to approve downloads, such as an IT department.
    What steps can I take to spread awareness and protect my organization?
    1. Educate your employees. If your employees are aware of what to look for and are routinely reminded of the warning signs of a business email compromise, they will be more apt to recognize illegitimate emails.
    2. Set up network controls for downloading new software. As previously mentioned, create security controls on employee computers to keep malware from being downloaded onto network computers.
    3. Keep inboxes secure. Avoid using web based email platforms that are free. They normally have less security features and are more easily hacked. In addition, create flags for email addresses that are similar to your company’s address. This will help call out those email addresses that are created to slide through the cracks with the look and feel of an employee or upper management.
    4. Flag external emails. Ensure that external emails received through company addresses are flagged as external. This adds an extra layer of security with a visible indicator to employees.
    5. Implement a two-step process for payments. Secure company funds with at least a two-step verification process for all wire transfers and transactions. Creating an approval process protects you from external and internal fraud attempts.

    As fraudsters become smarter with their tactics, it’s important to educate your employees and ensure you’re taking the preventative measures necessary to keep your company funds safe. Technology is advancing each and every day, which means your security measures must keep up in order to recognize and block fraud attempts. If you ever suspect your business is the victim of a BEC scam, immediately report the incident to law enforcement or with the Internet Crime Complaint Center.

    For more tips and tactics on how to protect your business from Fraud, visit our Security Center!



  • The information provided in these articles is intended for informational purposes only. It is not to be construed as the opinion of Central Bancompany, Inc., and/or its affiliates and does not imply endorsement or support of any of the mentioned information, products, services, or providers. All information presented is without any representation, guaranty, or warranty regarding the accuracy, relevance, or completeness of the information.