Your Bank > News

Business Email Compromise

September 21, 2018

Business Email Compromise or BEC is a highly sophisticated scam targeting businesses who perform wire transfer payments regularly. The fraudsters use various social engineering methods or computer intrusion techniques to gain access to a legitimate business email account where they pose as a high ranking official in an organization such as the CEO or CFO. 

These social engineer fraudsters have a playbook. They identify the target by gathering as much information about their potential victim as possible such as full names and email addresses (usually found on social media). They then develop some type of pretext scenario used to trick their victim. From here, they engage with their target victim to gain their trust - most often through the means of phishing emails where they then steal information or finances from the target victim. 

It is important to note that not all BEC scams are associated with the transfer of funds. There have been some cases where the fraudster requests personal identifiable information or wage and tax statements for employees. BEC scams have been linked to other forms of fraud such as romance, lottery, employment, and rental scams. According to the FBI, the victims of these scams are usually U.S. based and may be recruited illegally to transfer money on behalf of others. Canandaigua National Corporation would like to point its attention to some BEC Red Flags to look out for. 

Business Email Compromise - Red Flags 

Here is an example Canandaigua National Bank and Trust (CNB) received as a BEC attempt: 

BEC Scam Email
  1. In this example, the social engineer tried to disguise themselves as the CEO of CNB. Always validate any type of wire request by speaking to the requestor over the phone. This removes the fraudsters layer of anonymity. 
  2. Whenever someone is trying to create a sense of urgency you should stop, look, and think! Is this really your customer, coworker, or in this case the CEO? These fraudsters create a sense of urgency or an emotional attachment to get you to act quickly instead of thinking it through. Don’t be fooled! 
  3. Not shown here, but the social engineer called the person by their formal name. The recipient does not go by their formal name which was a red flag that tipped them off. 
  4. Again, the fraudster is attempting to create a sense of urgency to the recipient. If there truly was a need to complete a wire transfer there would be more information within this email.

For more security tips, visit our Security Center.