Business Email Compromise (BEC) scams are known to be some of the most financially damaging cybercrimes out there.
Here’s what to look for and how to protect yourself and your organization:
WHAT IS A BEC?
In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request, according to the FBI.
Some examples include:
- A vendor your company regularly deals with sends an invoice with an updated mailing address or new bank account information.
- A company CEO asks an assistant to purchase dozens of gift cards to send out as employee rewards and then asks for the serial numbers so they can email them out right away.
- A homebuyer receives a message from a title company with instructions on how to wire their down payment.
HOW CRIMINALS CARRY OUT BEC SCAMS
There are several ways a scammer may go about a BEC.
For example, they may spoof an email account of website. Slight variations on legitimate addresses can fool victims into thinking fake accounts are authentic.
Another method is sending spear phishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information, allowing criminals access into company accounts, calendars, and data.
Malicious software can also be used to infiltrate company networks and gain access to email threads about billing and invoices. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.
HOW TO PROTECT YOURSELF
Be careful with the type of information you share online or on social media and make sure you use strong privacy settings for all social accounts. Personal details – such as children’s or pets’ names, schools you attended, links to family members, and your birthday – can give a scammer all the information they need to guess your password or answer your security questions.
Other ways to protect yourself include:
- Do not click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own – using either an invoice you have from them or an online search – and call the company directly to verify the request is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence. Misspellings or typos are a red flag.
- Be careful what you download. Never open an email attachment from someone you don’t know.
- Set up two-factor (or multi-factor) authentication on any account that allows for it.
- Verify payment and purchase requests in person, if possible. You should authenticate any change in account number or payment procedures directly with the person making the request using a trusted means of contact.