Business Email Compromise is a sophisticated scam targeting businesses and organizations utilizing wire transfer payments as a core function. These scams are often executed by bad actors, foreign and domestic, who monitor email accounts of business executives or employees to imitate their activities. The bad actors then impersonate those email accounts by initiating fraudulent emails that appear to be from those executives and employees requesting wire transfers in attempt to steal money.
The fraudulent wire transfer payments are sent to foreign and domestic banks, which may be transferred several times to ensure the monies are quickly dispersed to avoid getting caught.
From logos, domain addresses, phone number, and names, to name a few, the change of a character or number in any of the key elements could potentially be missed at a glance. For this reason, staying vigilant is particularly important when opening and responding to emails.
These nine tips can help protect you and your business from becoming victims:
- Establish a company website domain and use it to establish company email accounts in lieu of free, web-based accounts.
- Be careful what you and your employees post to social media and company websites, especially job duties/descriptions, personally identifiable information (i.e., email address, phone number, etc.), and hierarchical information.
- Be suspicious of requests for secrecy or pressure to act quickly.
- Implement two-factor authentication for your email servers, as well as remote access devices.
- Establish other communication channels, such as telephone calls, to verify significant transactions. You may consider having additional protocols in place for the larger transactions to ensure only authorized personnel can commit to the disbursement of funds.
- Both entities on either side of the transaction should use digital signatures whenever possible. If you have any suspicions before signing, call the company directly from the established phone numbers on file.
- Immediately delete unsolicited email (spam) from unknown parties. Do NOT open spam email or click on links in the email. Use your company’s established IT/Cybersecurity reporting options to report suspicious email, if established.
- Avoid responding to a bad actor via email by asking employees to create a new email and use or type in a name and address on file instead of using the “reply” option.
- Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when previous official correspondence has been on a company email, the request could be fraudulent. Follow your procedures and call the company directly from the established phone numbers on file. Always verify via other channels that you are still communicating with your legitimate business partner.
For more information about protecting your organization against cybersecurity threats, contact your relationship manager.