Business email compromise (BEC) is one of the most financially devastating online schemes which has exploded in frequency over the past decade. BEC exploits the simple fact that so many of us utilize email daily.

BEC schemes begin when cybercriminals gain access to an employee’s legitimate business email account through social engineering or computer intrusion. Alternatively, the fraudster may emulate a legitimate email account with an unrelated account created specifically for nefarious purposes. The bad actor sends an email to a specific target (typically a high-ranking employee who frequently receives payment requests), which appears to come from a legitimate source. Some examples include -

• A supplier your company regularly works with provides invoices with updated wiring instructions.
• A CEO asks her assistant to purchase a large sum of gift cards to provide to employees as rewards. She requests the serial numbers be provided immediately.
• A prospective homebuyer receives a message from his mortgage company with instructions on where to wire down payment funds.

According to the FBI, between June 2016 and December 2021, this scheme was replicated over 240,000 times for a total exposure amount of $43B. Sadly, in many cases once the scheme is discovered days or weeks later, the chances of recovery may be slim to none.

The following tips can help businesses and employees avoid business email compromise schemes:

• Educate your employees. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers.
• Do not trust emails with payment instructions. Verify payment and purchase requests in person if possible or by calling the sender at known legitimate phone number to ensure request validity. Verify any change in account number or payment procedures directly with the person making the request.
• Set up multi-factor authentication on any account that allows it, and never disable this feature.
• Protect your online environment. It is important to protect your cyber environment just as you would your cash, sensitive documents, and physical location. Do not use unprotected internet connections. Encrypt sensitive data and keep updated virus protections on your computer. Use complex passwords and change them regularly.
• Be wary of sudden changes in business practices or contacts. If an employee, customer or vendor suddenly asks to be contacted via their personal e-mail address, verify the request through known, official and previously used correspondence as the request could be fraudulent.
• Be wary of requests marked “urgent” or “confidential.” Fraudsters will often instill a sense of urgency, fear, or secrecy to compel the employee to facilitate the request without consulting others.
• Implement robust internal approval procedures for vetting account change requests to prevent potential financial losses.
• Partner with your bank to prevent unauthorized transactions. Talk to your banker about programs that mitigate fraud such as call-backs, device authentication, and multi-person approval processes.

CNB offers a variety of banking solutions to help mitigate fraud threats and greatly reduce your chances of becoming the latest victim in an already challenging world. Be sure to follow us on social media to stay up to date on emerging trends and threats.

Visit CNBank.com/Security for current fraud articles and resources.