Responding to Business Email Compromise
Previous

Business email compromise is on the rise. Find out how to protect your business.

The reliance on email in the business world today creates a troubling access point for criminals. Say someone in your finance or HR department gets an email from one of the business’ executives asking them to purchase a number of gift cards for employees. The note also asks for the serial numbers so the executive can give them out right away.

Laid bare from the outside, it may seem like an obvious ploy — but in the countless streams of emails bouncing around our inboxes today, it only takes one slip-up for your company to be a victim of an email fraud called business email compromise (BEC).

The BEC Basics

For those targeted, business email compromise can be incredibly damaging. According to the FBI’s Internet Crime Report, the Internet Crime Complaint Center (IC3) received over 23,000 BEC claims in 2019, with losses totaling more than $1.7 billion. Those BEC losses accounted for nearly half of the total fraud losses reported in 2019.

In many cases, the only resources required to perpetrate a BEC scam is information and an email account. In the gift card example, the scammer only needed to know the executive’s name and the email address of an employee with access to business accounts.

Reporting a BEC Scam

If you or your business is a victim of business email compromise or another type of email scam, there are a number of steps you should take. To start, document everything you can related to the fraud — emails, receipts, etc. — and keep it on hand to complete scam reports.

From there, contact your financial institution. If the BEC scam ended with a fraudulent wire transfer, request that your financial institution contact the bank or institution that received the transfer and request a recall or reversal. Then, contact your local police department if you lost money or other possessions from the scam and report the scam to your state’s consumer protection office.

You can also report scams to several federal agencies to help them track patterns in scams. The Federal Trade Commission (FTC) has a complaint assistant that accepts reports on multiple common scams. If you believe the BEC scam came from outside of the U.S., you can report international scams to econsumer.gov.

Further, you can report online scams, including BEC, to the IC3. The IC3 has established the Recovery Asset Team (RAT) to work with law enforcement and financial institutions to help fraud victims potentially recover funds. Even if you report the event promptly, there is no guarantee that the funds are recoverable.

Remember, if sensitive personal information is compromised by BEC fraud, you may want to prepare to report identity theft.

Protecting Your Business From BEC

It doesn’t seem likely that the business world will move away from email communication anytime soon, so it’s important for your team to have strong process and training in place to protect your business from fraud. For instance, place dual controls on financial transfers, and verify all payments or purchases — if not in-person, then at least voice-to-voice over a call.

Advise your team not to click anything in unsolicited emails or texts, particularly if they ask the recipient to follow a link to verify account or order information. Commonly, scammers will try to mimic the email address of a legitimate member of the business or another organization, so carefully examine the address the email is coming from.

If the message is claiming to come from the government or another business, don’t use any contact information from the message, and look up the organization separately. If the sender claims to be from a government agency, you can check the agency against this index of government organizations.

BEC scams are built on information, and information on social media sites like the name of a pet or the schools someone attended may be enough for a scammer to impersonate an individual over email or even breach their security questions or passwords. Ultimately, be careful what information about you, your business, and your employees is available online — and make sure your team is aware of potential red flags.

Find more ways to protect your business against another type of scam, payment fraud by visiting Regions.com/fraudprevention.

Next