Business email compromise resurgence

The US Secret Services warns commercial businesses about a resurgence of business email compromise (BEC) exploits. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request.

Examples of BEC scams include:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks their assistant to purchase dozens of gift cards to send out as employee rewards. The CEO then asks for the serial numbers so he/she may email them out right away.
  • A homebuyer receives a message from their title company with instructions on how to wire a down payment.

In a BEC scam, a scammer might impersonate an email account or website; send spearphishing emails or use malware. It’s important to be careful with what information you share online or on social media. By openly sharing items like pet names, schools you attended, links to family members and your birthday, you can give a scammer all the information they may need to guess your password or to answer your security questions.

When protecting yourself, business and clientele, it’s important to remember the following:

  • Don’t click on anything in an unsolicited email or text message that asks you to update or verify account information. Instead, look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  • Carefully examine the email address, URL and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful of what you download. Never open an email attachment from someone you do not know, and be wary of email attachments forwarded to you.
  • Set up two-factor or multi-factor authentication on any account that allows it and never disable it.
  • Verify payment and purchase requests in person if possible or by calling the peron to ensure that it’s legitimate. You should verify any change in an account number or payment procedure with the person making the request.
  • Always be wary if the requestor is pressing you to act quickly.

By following these tips and tricks, you should be able to negate scammers and continue to provide protection for yourself, customers and institutions.