Business email compromise

Avoid being on the receiving end of a BEC attack

Business email compromise (BEC) attacks are on the rise and it’s costing business billions. Cybercriminals have become so good at it that experts estimate that between 2019 and 2021, BEC attacks increased 65%, costing businesses more than $43 billion. 

 

What exactly is a BEC attack?

 

A BEC attack is a highly sophisticated form of phishing, sending fake but legitimate-looking emails to trick an employee into complying with an “official” request for money or sensitive information. In practice, the email looks authentic, coming from a company official or vendor making an apparently legitimate request for money to be wired or deposited into a checking account controlled by the scammer. 

 

Scams include: 

  • False invoices appearing to come from a vendor requesting payment, 
  • Money requests from an authority figure within the company, 
  • Information requests from a legal representative, or 
  • Inquiries about employees through human resources. 

 

Scammers target lower-level employees who are more likely to comply with requests from authority figures.

 

How to prevent BEC attacks

 

The best defense against BEC attacks is awareness and training. Employees should be well-educated on protocols for verifying email requests for money or information and how to spot fake emails. Here are several additional steps a business can take to prevent BEC attacks:

 

  • Verify the sender’s email. Look for slight variations in an email address from a legitimate sender, such as changing the company address from [email protected] to [email protected] xyz_company. 

 

  • Don’t hit “reply”. Start a protocol to stop hitting “reply” and using “forward” to respond to emails. That requires employees to manually type in the intended email address. 

 

  • Verify requests. Another standard protocol should be to confirm face-to-face, or by phone, any email requests for wire transfer or confidential information. Never use the phone number in an email to confirm. Instead, look up the number from the business that the email purportedly came from.

 

If your business has been targeted with a BEC attack, contact your financial institution and information technology staff. File a complaint at www.IC3.gov

Allpoint It’s your money after all. Find a surcharge-free ATM