What is Business Email Compromise?
Business Email Compromise is when a fraudster sends an email posing as a trusted party (your boss, a key vendor, etc.) and asks for sensitive information or for you to make a payment or update payment instructions. This can occur where the sender manipulates the “from” email address or when a legitimate email account has been compromised.
Fraudsters can also pose as you and similarly try to trick your customers or other employees.
To help protect your organization against fraud losses, always check with the requestor in person or by phone at a known number that the request is legitimate before acting, even if the email appears to be internal.
Also let those you regularly email know never to rely just on an email from you for any banking change, unexpected payment request or sensitive information.
- Inquire with your technology service provider or your internal technology function about the security protocols that are in place to prevent common email schemes.
- Establish a company domain for email instead of using services like Gmail. Businesses using open source email are easily targeted as there are few global security settings available using “free” email accounts.
- Limit access to personal email / free email services in your domain.
- Implement centralized email protection systems to screen emails for spoofing and malware.
- Configure your email system to automatically place banners or flags on emails from external domains to heighten receiver awareness of potential red flags.
- Use encryption for emails containing account numbers or other sensitive information.
- Deploy multi-factor authentication on mobile devices receiving / sending email.
- If you don’t need web access to email, configure your mail service settings to eliminate access to it outside of your domain. It provides another attack point for criminals. If you must provide use it, ensure it is deployed securely by a professional technology provider.
Email red flags
- Be suspicious of requests for secrecy or urgency.
- Is the request consistent with earlier requests? Does it make sense they would make this request by email?
- Watch for small changes that mimic real email addresses. For example, “@companyname.com” may be changed by replacing the “o” with a numerical value “0”, such as “@c0mpanyname.com”, a close approximation that may escape notice by a receiver.
- Even if you don’t see red flags, always validate requests using a phone at a known number or another, separate non-email communication. In some case fraudsters have hacked into and are using the other party’s legitimate email address. These emails can be especially convincing.
If you're hit by a BEC Scam act quickly
- Gather the details – transaction dates, amounts, and account information, when and how you believe you were defrauded, etc.
- Keep all original documentation such as emails and logs
- Contact Treasury Management Client Services at (616) 494-1455 or firstname.lastname@example.org as soon as you uncover the attack – timing is critical for an attempt to recoup funds
- File a report with the IC3 at www.IC3.gov or contact your local FBI office
- Complete an internal review to determine how the attack occurred and if changes are needed – increased security on your email system? more employee training? additional internal controls? etc.