How to detect a business email compromise scam

What is BEC?

BEC is a type of phishing attack in which fraudsters use impersonation in order to gain access to funds. This type of scam is not new but has evolved over time, taking advantage of our increased online presence to conduct business.  

How does it work? 

Fraudsters will impersonate vendors, company colleagues or senior management and try to convince you to send money or confidential information to them. They will try to trick you by using different techniques — such as look-alike email addresses that can be difficult to detect — or sending emails from employee email accounts after gaining access to your information technology platform. Ultimately, fraudsters want you to think that the email you receive came from a reliable and recognizable source.  

Business email compromise can take on many forms. Here are the most popular ones:

• Chief executive officer (CEO) fraud: Fraudsters represent themselves as the CEO of a company in emails sent to employees who are responsible for remitting payments on behalf of the company. These requests are usually marked urgent and confidential.
• Vendor or supplier fraud: The victim receives an email from someone claiming to be an employee of an existing supplier. The supposed employee alleges that the supplier’s banking information has changed and provides an invoice that requires an immediate payment.  
• Employee impersonation: An employee’s email account is infiltrated, and the fraudster impersonates the employee and sends an email to a colleague requesting a payment.

What tactics do the fraudsters use to initiate these BEC payments?

Fraudsters will impersonate company personnel or vendors when sending emails requesting a payment. These emails can seem authentic as the fraudsters have been monitoring email traffic to gain insight into email signatures, addresses and writing formats, along with the details of prior vendor payment requests. 

Fraudsters have been known to send these emails when they have information that indicates management will be away from work; thus, the email recipient will have difficulty validating a payment request. In today’s work-from-home environment, fraudsters can be more successful as validating these requests can be more difficult with a remote workforce.

Common BEC characteristics

• Payment bank information including  bank name, routing number, and account number that differs from prior payment requests.
• The email is marked as rush, urgent or sensitive.
• The fraudster’s email address will closely mirror the email address associated with the individual they are impersonating. For example, the fraudster’s email address contains a lower case “l” where a number “1” is located in the email address of the impersonated party.
• Email narrative contains instructions to call a telephone number that differs from legitimate telephone numbers associated with the impersonated company or individual.

What are some leading practices to limit BEC fraud exposure?

• Follow a process to validate all payment requests, as well as any changes to those requests. This process should include contacting trusted telephone numbers to verify the payment. 
• Ensure email addresses and URLs associated with the request are accurate.
• Be suspicious of any requests demanding urgency.
• Consider how information posted on open internet sources could be leveraged to commit a fraud scheme which can include  vendor or supplier relationships, or management spending time away from the office.
• Conduct fraud and information security awareness training at least annually.
• Ensure information technology malware and virus protections are current.
• Employees should immediately report suspected or confirmed fraud.

What should you do if your organization suspects or confirms BEC fraud?

• Time is of the essence when attempting to recover funds. Immediately contact your financial institution and consider filing a complaint with the Federal Bureau of Investigation (FBI) Internet Crime Complaint Center (IC3). Depending on the circumstances, the FBI can attempt to recover funds after a complaint is filed with IC3.
• Escalate within your organization and contact the party that was impersonated either it was a vendor or colleague.