Protecting against business email compromise

Read Time: 2 Min
To help reduce the risk of business email compromise attacks, consider these tips on identifying and avoiding common email scams targeting businesses today.

Business Email Compromise is a sophisticated scam targeting businesses and organizations utilizing wire transfer payments as a core function. These scams are often executed by bad actors, foreign and domestic, who monitor email accounts of business executives or employees to imitate their activities. The bad actors then impersonate those email accounts by initiating fraudulent emails that appear to be from those executives and employees requesting wire transfers in attempt to steal money.

The fraudulent wire transfer payments are sent to foreign and domestic banks, which may be transferred several times to ensure the monies are quickly dispersed to avoid getting caught.

From logos, domain addresses, phone number, and names, to name a few, the change of a character or number in any of the key elements could potentially be missed at a glance. For this reason, staying vigilant is particularly important when opening and responding to emails.

These nine tips can help protect you and your business from becoming victims:

  1. Establish a company website domain and use it to establish company email accounts in lieu of free, web-based accounts.
  2. Be careful what you and your employees post to social media and company websites, especially job duties/descriptions, personally identifiable information (i.e., email address, phone number, etc.), and hierarchical information.
  3. Be suspicious of requests for secrecy or pressure to act quickly.
  4. Implement two-factor authentication for your email servers, as well as remote access devices.
  5. Establish other communication channels, such as telephone calls, to verify significant transactions. You may consider having additional protocols in place for the larger transactions to ensure only authorized personnel can commit to the disbursement of funds.
  6. Both entities on either side of the transaction should use digital signatures whenever possible. If you have any suspicions before signing, call the company directly from the established phone numbers on file.
  7. Immediately delete unsolicited email (spam) from unknown parties. Do NOT open spam email or click on links in the email. Use your company’s established IT/Cybersecurity reporting options to report suspicious email, if established.
  8. Avoid responding to a bad actor via email by asking employees to create a new email and use or type in a name and address on file instead of using the “reply” option.
  9. Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when previous official correspondence has been on a company email, the request could be fraudulent. Follow your procedures and call the company directly from the established phone numbers on file. Always verify via other channels that you are still communicating with your legitimate business partner.

For more information about protecting your organization against cybersecurity threats, contact your relationship manager.

Related Content

The information provided in this document is intended solely for general informational purposes and is provided with the understanding that neither Huntington, its affiliates nor any other party is engaging in rendering tax, financial, legal, technical or other professional advice or services or endorsing any third-party product or service. Any use of this information should be done only in consultation with a qualified and licensed professional who can take into account all relevant factors and desired outcomes in the context of the facts surrounding your particular circumstances. The information in this document was developed with reasonable care and attention. However, it is possible that some of the information is incomplete, incorrect, or inapplicable to particular circumstances or conditions. NEITHER HUNTINGTON NOR ITS AFFILIATES SHALL BE LIABLE FOR ANY DAMAGES, LOSSES, COSTS OR EXPENSES (DIRECT, CONSEQUENTIAL, SPECIAL, INDIRECT OR OTHERWISE) RESULTING FROM USING, RELYING ON OR ACTING UPON INFORMATION IN THIS DOCUMENT OR THIRD-PARTY RESOURCES IDENTIFIED IN THIS DOCUMENT EVEN IF HUNTINGTON AND/OR ITS AFFILIATES HAVE BEEN ADVISED OF OR FORESEEN THE POSSIBILITY OF SUCH DAMAGES, LOSSES, COSTS OR EXPENSES.

Third-party product, service and business names are trademarks/service marks of their respective owners.