Icon (Close Menu)

Logout

How to Avoid Business Email Compromise Scams

3 min read

Business email compromise — also known as email account compromise — is one of the most financially damaging online crimes, exploiting people’s reliance on email to conduct business.

In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them right away.

Ransomware attacks in Arkansas are on the rise, but here are a few ways to avoid becoming a victim.


How Criminals Conduct BEC Scams

A scammer might try one of the following:

  • Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.
  • Send spear-phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars and data that give them the details they need to carry out the BEC schemes.
  • Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

How to Report

If you or your company fall victim to a BEC scam, it’s important to act quickly:

  • Contact your financial institution immediately and request that it contact the financial institution where the transfer was sent.
  • Next, contact your local FBI field office to report the crime.
  • Also file a complaint with the FBI’s Internet Crime Complaint Center (IC3).

How to Protect Yourself

  • Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL and spelling used in any correspondence. Scammers hope that people won’t notice the slight differences.
  • Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
  • Set up two-factor (or multifactor) authentication on any account that allows it and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the person to make sure they’re legitimate. You should verify any change in account number or payment procedures with the person making the request.
  • Be especially wary if the requestor is pressing you to act quickly.

Source: FBI. For more help, visit the FBI’s web page on business email compromise.


Send this to a friend