Business email compromise (BEC) is one of the most “financially damaging” online crimes, according to the FBI. With a BEC scam, the criminal sends what looks like a legitimate email asking you to provide sensitive personal information, wire money or buy gift cards.
“The scams are initiated through specifically developed ‘phish kits’ designed to mimic cloud-based email services in order to compromise business email accounts and request or misdirect transfers of funds,” according to the FBI.
Cloud-based email services are hosted subscription services that allow users to conduct business with online file storage, email, shared calendars and instant messaging. BEC scams have been reported in every U.S. state and 177 countries, according to the FBI.
Image Credit: PRImageFactory / iStock.
SPONSORED: Find a Qualified Financial Advisor
1. Finding a qualified financial advisor doesn't have to be hard. SmartAsset's free tool matches you with up to 3 fiduciary financial advisors in your area in 5 minutes.
2. Each advisor has been vetted by SmartAsset and is held to a fiduciary standard to act in your best interests. If you're ready to be matched with local advisors that can help you achieve your financial goals get started now.
Why is this scam so damaging?
BEC is a sophisticated scam that targets businesses that perform electronic payments, including wire or automated clearing house transfers. “The scam is frequently carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques resulting in an unauthorized transfer of funds,” says the FBI.
You might think you’re too savvy to be tricked by a BEC scammer, but you could still end up an unwitting victim if you don’t know the red flags of this common scam.
Image Credit: B4LLS / iStock.
Types of BEC scams
Criminals target BEC victims in a variety of ways, including via virtual meeting platforms where audio and video conferences, screen sharing and webinars are used to communicate with management and among employees.
Examples of ways criminals use virtual meeting platforms to conduct a BEC scam include:
- Compromising a CEO’s, CFO’s or financial director’s email, asking employees to attend a virtual meeting. When you sign on, you see only a still photo of the purported initiator of the meeting. Scammers might even use “deep fake” audio manipulated with artificial intelligence (AI) techniques to impersonate the manager’s voice.
- The imposter convener then instructs attending employees to transfer funds via the virtual meeting platform or chat further in a follow-up email.
- Compromising a company’s email by posing as the CEO (or another management figure) and asking employees to transfer money because the CEO is tied up in a meeting and unable to personally transfer funds.
- Compromising employee emails to invade workplace virtual meeting platforms to gain confidential information about the company.
Image Credit: DepositPhotos.com.
Another common BEC tactic is “phishing” emails designed to steal email passwords and other account credentials. Once criminals compromise the email account, they look for financial transactions and then impersonate vendors or customers and instruct you to redirect future payments to fraudulent bank accounts.
Image Credit: DepositPhotos.com.
How to protect yourself from BEC scams
To avoid becoming a BEC scammer’s next victim, the FBI recommends businesses and employees take proactive steps, including:
- Enable multi-factor authentication where the user must provide two or more pieces of evidence — PIN or password, company badge, fingerprints or voice recognition, for example — to verify their identity in order to gain access.
- Verify all payments and transactions in person or through a known telephone number.
- Make sure employees know about BEC scams, how to identify phishing emails and what to do if they suspect an email compromise.
- Prohibit automatic email forwarding to external addresses.
- Log and retain changes to mailbox logins and settings for at least 90 days.
- Prohibit “legacy” email protocols such as IMAP, SMTP or POP3, which are easier targets for compromising sign-in attempts, according to Microsoft.
- Prevent spoofing and validate email with Sender Policy Framework, DomainKeys Identified Mail, and Domain-based Message Authentication Reporting.
- Keep an eye out for hyperlinks with the actual domain name misspelled.
Find out: Know These 5 Red Flags of a Fake Website
Image Credit: nathaphat / iStock.
What to do if you’re a BEC victim
If you’re a victim of BEC fraud, contact the bank involved right away and ask it to recall transferred funds. Then file a complaint with the FBI Internet Crime Complaint Center (IC3) or report the BEC fraud to your local FBI field office.
Find out: 7 Signs of a Debt Settlement Scam
Image Credit: fizkes / iStock.
More from MediaFeed
Image Credit: Gage Skidmore.