Mitigate the risks of business email compromise

Risk management

BEC scams are on the rise—here’s how to protect your business.

In an ever-evolving landscape, financial institutions must constantly work to improve their protection against fraudulent activity. In fact, losses related to email account compromise (EAC) or business email compromise (BEC) from 2016 to 2019 have totaled $26 billion.Disclosure 1 EAC and BEC schemes occur when a fraudster gains access to a company account in an attempt to defraud a company or employee. And BEC remains on the rise: the average wire attempt netted more than $80,000 during the second quarter of 2020, up from $54,000 in the first quarter.Disclosure 2

However, the power to prevent most of the attacks is already at your fingertips. That’s why it’s important to know the dangers of today’s fraudulent activity as well as preventative measures you can take to make sure these attempts are stopped at the door. Consider these best practices to help protect your business from fraud.

Fraud prevention starts with the employee.

Business leaders can’t wait for fraud to happen—they need to be proactive. Implementing steps like raising your security profile and educating employees on fraud awareness can make it easier to safeguard your business.

One popular method of attempting fraud is spoofing, which occurs when an imposter hides the origin of a fraudulent email by mimicking a sender’s email address. For instance:

  1. Company ABC pays vendor XYZ $1,000 a month.
  2. These funds are typically deposited into account #123.
  3. A fraudster impersonates vendor XYZ and spoofs an email to accounts payable at ABC, asking to redirect payments from account #123 to #678 (the imposter’s account).

Tip: This fraudulent email might appear as XXYZ or ZYX, a slight variation of the legitimate email address. If the recipient is not looking closely enough, this could slip through the cracks unnoticed.

Spoofing fraudsters may also use times of crisis as an opportunity to target victims and steal personal information. Without proper tools and training, many employees believe a fake email is legitimate and may be inclined to comply with a vendor’s request. Instead, the employee should be encouraged to take the extra step to validate any unusual requests.

80% of financial leaders believe that educating employees on the threat of BEC is an important effort to fight against this type of fraud.Disclosure 3

Although it can be difficult to spot spoofing, many instances can be avoided if individuals are paying close attention. For example, higher-risk events—like changing the account number of a payee—may need an additional step to make sure the request is legitimate. Before redirecting the payment or replying, forward that email first to your vendor’s contact or pick up the phone and verify the information.

Tip: If you discover you’ve made a fraudulent payment, contact your bank immediately—the bank will issue a recall attempt for the payment. Time is of the essence.

Threat actors use many ways besides spoofing to reach an employee. While fraudsters try all kinds of things, some methods are more popular than others. One common sign of a scam is the use of salutations (such as “Hello dear”) that wouldn’t be found in a legitimate business email.Disclosure 4

Good email hygiene goes a long way.

Most importantly, trust your judgment. If you receive something that seems off, consider contacting the person making the request to confirm. By taking this action, you can help protect your business from fraud.

Dual control—that is, requiring a second administrator to review and approve requests or payments before action can be taken—is also an effective anti-fraud measure to have in place.

Other best practices for security include:

  • Setting up spam filters
  • Protecting passwords
  • Not sharing sensitive information
  • Limiting information shared on social media or a company website about employees and their roles

Fraudsters are looking for all of the information they can find, so remember to put safeguards in place. That way, it may be harder for cyberattackers to successfully steal important information.

49% of employees reuse the same password with only minor changes when updating their company password.Disclosure 5

While IT departments may lead the charge in implementing company-wide security protocols, much more can be done at every level. Establishing security practices will help your company keep its financial, personal, and business information safe.