Mitigate the risks of business email compromise

Risk management

BEC scams are on the rise—here’s how to protect your business.

In an ever-evolving landscape, financial institutions must constantly work to improve their protection against fraudulent activity. In fact, losses related to email account compromise (EAC) or business email compromise (BEC) from 2016 to 2019 have totaled $26 billion.Disclosure 1 EAC and BEC schemes occur when a fraudster gains access to a company account in an attempt to defraud a company or employee. And BEC remains on the rise: the average wire attempt netted more than $80,000 during the second quarter of 2020, up from $54,000 in the first quarter.Disclosure 2

However, the power to prevent most of the attacks is already at your fingertips. That’s why it’s important to know the dangers of today’s fraudulent activity as well as preventative measures you can take to make sure these attempts are stopped at the door. Consider these best practices to help protect your business from fraud.

Fraud prevention starts with the employee.

Business leaders can’t wait for fraud to happen—they need to be proactive. Implementing steps like raising your security profile and educating employees on fraud awareness can make it easier to safeguard your business.

One popular method of attempting fraud is spoofing, which occurs when an imposter hides the origin of a fraudulent email by mimicking a sender’s email address. For instance:

  1. Company ABC pays vendor XYZ $1,000 a month.
  2. These funds are typically deposited into account #123.
  3. A fraudster impersonates vendor XYZ and spoofs an email to accounts payable at ABC, asking to redirect payments from account #123 to #678 (the imposter’s account).

Tip: This fraudulent email might appear as XXYZ or ZYX, a slight variation of the legitimate email address. If the recipient is not looking closely enough, this could slip through the cracks unnoticed.

Spoofing fraudsters may also use times of crisis as an opportunity to target victims and steal personal information. Without proper tools and training, many employees believe a fake email is legitimate and may be inclined to comply with a vendor’s request. Instead, the employee should be encouraged to take the extra step to validate any unusual requests.

80% of financial leaders believe that educating employees on the threat of BEC is an important effort to fight against this type of fraud.Disclosure 3

Although it can be difficult to spot spoofing, many instances can be avoided if individuals are paying close attention. For example, higher-risk events—like changing the account number of a payee—may need an additional step to make sure the request is legitimate. Before redirecting the payment or replying, forward that email first to your vendor’s contact or pick up the phone and verify the information.

Tip: If you discover you’ve made a fraudulent payment, contact your bank immediately—the bank will issue a recall attempt for the payment. Time is of the essence.

Threat actors use many ways besides spoofing to reach an employee. While fraudsters try all kinds of things, some methods are more popular than others. One common sign of a scam is the use of salutations (such as “Hello dear”) that wouldn’t be found in a legitimate business email.Disclosure 4

Good email hygiene goes a long way.

Most importantly, trust your judgment. If you receive something that seems off, consider contacting the person making the request to confirm. By taking this action, you can help protect your business from fraud.

Dual control—that is, requiring a second administrator to review and approve requests or payments before action can be taken—is also an effective anti-fraud measure to have in place.

Other best practices for security include:

  • Setting up spam filters
  • Protecting passwords
  • Not sharing sensitive information
  • Limiting information shared on social media or a company website about employees and their roles

Fraudsters are looking for all of the information they can find, so remember to put safeguards in place. That way, it may be harder for cyberattackers to successfully steal important information.

49% of employees reuse the same password with only minor changes when updating their company password.Disclosure 5

While IT departments may lead the charge in implementing company-wide security protocols, much more can be done at every level. Establishing security practices will help your company keep its financial, personal, and business information safe.

Strengthen your defenses against fraud

Learn more about how you can be better prepared to keep attacks from hitting your business.

Related resources

    {0}

    {0}

    {2}
    {6}
    {7}
    {8}
    {9}
    {12}
    {10}
    {11}

    {3}

    {1}
    {2}
    {6}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}
    {1}
    {2}
    {7}
    {8}
    {9}
    {10}
    {11}
    {14}
    {12}
    {13}
    Component ID : "accordionGridLayout-1624256768"
    Model : "disclaimer"
    Position : "left"

    Disclosure “Business Email Compromise The $26 Billion Scam,” Sep. 10, 2019, Federal Bureau of Investigation

    Disclosure 2“Phishing Activity Trends Report: 2nd Quarter 2020,” Aug. 27, 2020, Anti-Phishing Working Group

    Disclosure 3“2020 AFP® Payments Fraud and Control Survey Report,” 2020, Association for Financial Professionals

    Disclosure 4“Phishing email examples to help you identify phishing scams,” Jan. 10, 2020, NortonLifeLock

    Disclosure 5“Password Usage Study: A Conversation with Yan Grinshtein,” Dec. 10, 2019, HYPR

    Disclosures

    Truist Bank, Member FDIC. © 2024 Truist Financial Corporation. Truist, the Truist logo and Truist Purple are service marks of Truist Financial Corporation.

    Equal Housing Lender

    Investment and Insurance Products:

    • Are Not FDIC or any other Government Agency Insured
    • Are Not Bank Guaranteed
    • May Lose Value

    Services provided by the following affiliates of Truist Financial Corporation (Truist): Banking products and services, including loans and deposit accounts, are provided by Truist Bank, Member FDIC. Trust and investment management services are provided by Truist Bank, and Truist Delaware Trust Company. Securities, brokerage accounts and /or insurance (including annuities) are offered by Truist Investment Services, Inc., which is a SEC registered broker-dealer, member FINRA, SIPC, and a licensed insurance agency. Investment advisory services are offered by Truist Advisory Services, Inc., GFO Advisory Services, LLC, and Sterling Capital Management, LLC, each SEC registered investment advisers. Sterling Capital Funds are advised by Sterling Capital Management, LLC.

    Mortgage products and services are offered through Truist Bank. All Truist mortgage professionals are registered on the Nationwide Mortgage Licensing System & Registry (NMLS), which promotes uniformity and transparency throughout the residential real estate industry. Search the NMLS Registry.

    Comments regarding tax implications are informational only. Truist and its representatives do not provide tax or legal advice. You should consult your individual tax or legal professional before taking any action that may have tax or legal consequences.

    "Truist Advisors" may be officers and/or associated persons of the following affiliates of Truist, Truist Investment Services, Inc., and/or Truist Advisory Services, Inc. Truist Wealth, International Wealth, Center for Family Legacy, Business Owner Specialty Group, Sports and Entertainment Group, and Legal and Medical Specialty Groups are trade names used by Truist Bank, Truist Investment Services, Inc., and Truist Advisory Services, Inc.

    Truist Securities is a trademark of Truist Financial Corporation. Truist Securities is a trade name for the corporate and investment banking services of Truist Financial Corporation and its subsidiaries. All rights reserved. Securities and strategic advisory services are provided by Truist Securities, Inc., member FINRA and SIPC. Lending, financial risk management, and treasury management and payment services are offered by Truist Bank. Deposit products are offered by Truist Bank.

    Applications, agreements, disclosures, and other servicing communications provided by Truist Bank and its subsidiary businesses will be provided in English. As a result, it will be necessary for customers to speak, read and understand English or to have an appropriate translator assisting them. Truist offers the following resources for consumers that have Limited English Proficiency:

    • Multilingual teammates available at our Multicultural Banking Centers
    • Materials for some products and services are available in Spanish, Korean, Vietnamese, Mandarin, and other languages spoken in the communities we serve.
    • Phone assistance in Spanish at 844-4TRUIST (844-487-8478), option 9. For assistance in other languages please speak to a representative directly.

    New York City residents:

    Translation or other language access services may be available. When calling our office regarding collection activity, if you speak a language other than English and need verbal translation services, be sure to inform the representative. A description and translation of commonly-used debt collection terms is available in multiple languages at http://www.nyc.gov/dca.

    • Limited English Proficiency Support
    • New York City residents

    Borrowers with Limited English Proficiency (LEP) needing information can use the following resources:

    Site footer

    Footer Navigation

    Banking products
    About Truist
    Resources
    Support

    © 2024, Truist. All Rights Reserved.