Business email compromise (BEC) scams are online payment fraud that targets businesses and can result in significant financial loss. BEC involves gaining unauthorized access to a legitimate email, text message or social media account, or an attempt to spoof or fake a legitimate account.
The purpose is to enable the criminal to send a message from an executive or business leader, vendor or client to convince an employee to transfer funds.
Once these funds are transferred to the criminal actor, it’s difficult, if not impossible, to recover the loss. In 2022, approximately $2.7 billion was lost to BEC fraud‡. It takes only minutes for a financially crippling mistake – and it can happen to anyone. Whether it’s a new hire, a 20-year veteran, payables manager or CEO, the resulting impact is the same.
The good news is there are actions businesses can take to minimize and mitigate their risk.
How to identify BEC red flags and reduce risk
The most important preventative measures against BEC are vigilance and awareness. Below are several BEC red flags to look for when you receive communications regarding funds transfers or transactions.
- Spoofed communications – Thoroughly inspect spelling and domains on payment requests received via email. Carefully check the address of the sender (email, phone number, etc.) to see if letters, numbers or the domain name are incorrect.
- Use of personal accounts – Criminal actors will impersonate company leaders, vendors or clients who are using their personal accounts (email, mobile phone, social media) rather than their standard company accounts.
Focus on timing
- Urgency – Criminal actors using BEC write communications requesting quick action on data changes or funds transfers, or they set accelerated deadlines. The faster timelines can result in missed validation steps or the employee acting outside of protocol.
- Relying on employees’ response to authority – These actors depend on employees being conditioned to quickly comply with requests from executive leadership or important clients and vendors.
- The request comes at a busy time – Many fraudulent requests will come at the end of the workday or workweek, putting pressure on employees to complete the request before the end of business (or end of month/quarter/fiscal year).
Communication and behavior
- Communications from executives – BEC fraudsters will impersonate a real individual, most often a leader or executive at the company a person works for.
- Single form of communication – Many BEC attempts will indicate the sender is in a meeting or traveling and can’t be reached by phone or other means, and demand all communication occurs via a specific communication channel such as email, text or social media.
- Generic terms and odd grammar – Emails with non-personalized greetings such as “Dear” or “Sir” or “Customer” are red flags. Emails with odd grammar, such as “kindly,” missing punctuation or spelling errors, are also red flags.
- Combined with fear and urgency, the prospect of being rewarded may prompt employees to skip typical procedures. These rewards can be tangible or intangible, such as being recognized for solving a problem or completing a highly important task for executive leadership.
How a company is targeted for BEC
Before launching a BEC scam, criminal actors may research the company, employees and senior management to gather as much information as possible to help them craft a convincing request. They may even check travel schedules, read other business emails and review social media profiles.
Criminal actors most often identify themselves as a high-level executive (CFO, CEO, CTO, etc.), lawyer, vendor, customer or other representative. In the communication, they will claim to be handling confidential or time-sensitive matters and request initiation of an urgent wire transfer.
Notably, these urgent requests also include a change to the receiving account or setting up a new account (which ultimately routes to the criminal actor). The employee may believe the request is legitimate and execute the funds transfer.
BEC is a social engineering scam
The tricky part about BEC is it isn’t primarily achieved through malware or hacking – it uses social engineering. These criminal actors create believable scenarios that can trick an employee into transferring funds.
Social engineering uses deception to manipulate individuals into divulging confidential information or taking action to support fraudulent activity.
It is in our nature to trust and want to help. Cybercriminals use psychology and human nature to entice victims to bypass important security controls.
How to help prevent BEC
Thoroughly vet payment change requests.
A request for payment accompanied by a change in receiving account should always be closely examined.
Contact executives, vendors or clients using an alternate communication channel to verify the request and the new account information. Ensure contact is made using a trusted phone number for a known contact at the organization, not the phone number provided in the email, text or social media message, and verify the individual is authorized to make the request.
Pause to verify.
When asked to verify a wire transfer, delay the transaction until additional verifications can be performed, and require dual approval for any wire transfer request that meets certain high-risk criteria.
Keep it simple.
Limit the number of employees authorized to approve and/or conduct wire transfers.
Create an environment of trust.
Many BEC scams are a result of criminal actors posing as senior leaders within organizations. Employees should feel comfortable pausing to validate a senior leader’s funds transfer request via phone or in person without worry.
Employees should be encouraged to resist the inclination to help and temper eagerness to prioritize requests from leadership.
The FBI considers BEC‡ the most financially damaging scams in the U.S. Take action to ensure your company’s leadership and employees understand the threat of this scam, and how to identify BEC red flags and reduce risk.
UMB provides sophisticated products to help protect your accounts from fraudulent activity through transaction review and validation, filtering, blocking, exceptions and approval protocols. For more information on how you can leverage treasury services to reduce fraud, visit our website.
When you click links marked with the “‡” symbol, you will leave UMB’s website and go to websites that are not controlled by or affiliated with UMB. We have provided these links for your convenience. However, we do not endorse or guarantee any products or services you may view on other sites. Other websites may not follow the same privacy policies and security procedures that UMB does, so please review their policies and procedures carefully.