What is it?

Business Email Compromise (BEC) is a sophisticated scam using email and/or other electronic communication to impersonate a business executive, employee, or other person with authority to request payments or access to employee payroll and W2 information on behalf of a business.

How does it work?

A BEC scam may begin when a legitimate user downloads malicious software (malware) by clicking on a malicious attachment or link in a spam or phishing email; or acts upon a spoofed email payment request crafted to look like it came from a company executive. An example of such a spoofed email address from ceo@abc_company.com might appear as ceo@abc-company.com. In cases where malware or malicious links are used, the malware can provide criminals with full control of the user’s computer, including access to passwords, documents, and email. Alternatively, criminals can obtain a user’s email login information if it was stolen previously and sold online. In either case, the criminal’s goal is to assume the identity of the legitimate user and request new payments, change the banking information of pending payments, or request copies of employee records for some alleged payroll purpose. Prior to executing the BEC scam, more sophisticated cyber criminals may even monitor business communications for extended periods of time in order to understand operating procedures and the communication style of the individuals they want to impersonate. While email is most common, sophisticated BEC criminals have also used a fax or phone call to confirm or follow up on an email request to send money.

Who is being targeted?

The BEC threat is highly adaptable and constantly evolving, but criminals have been particularly active in targeting small to large companies and individuals which may transfer high-dollar funds or sensitive records in the course of business. As such, the following industries are popular with criminals utilizing BEC scams:

• Third Party Payroll
• Real Estate (Buyers, Sellers, REALTORS^®, Title Companies)
• Legal Services
• Import/Export
• Education, Government, and Healthcare Sectors

What are the warning signs?

• An email request to change established wire transfer, payment procedures, or bank deposit instructions
• A request that the payment be expedited
• A requestor who indicates he/she will be out of the office and/or will not be readily available for re-contact
• A requestor that is seeking sensitive employee payroll or W2 information by email

What can you do?

• Require a secondary, independent verification of any payment requests or changes to existing beneficiary accounts.
• Use complicated passwords or long phrases for company and personal email accounts, change passwords regularly, and do not use the same password for multiple accounts.
• Use complicated passwords or long phrases for company and personal email accounts, change passwords regularly, and do not use the same password for multiple accounts.
• Avoid doing formal business on free web-based email accounts; establish a company domain name and limit formal communications to company email accounts.
  • Additionally, your email software may have a “recent activity” option that allows you to see the most recent locations from which your email account has been accessed. These locations reflect either your physical location or that of your ISP. If you see other locations listed, this may be a red flag that an unauthorized party is accessing your email.
• Have your IT department create intrusion detection system filters that flag emails with extensions that are similar to company email. For example, a detection system for legitimate email of ceo@abc_company.comceo@abc-company.com.
• Educate employees and IT staff on the latest trends by attending training and conferences, and through other online resources. A company which outsources their payroll and IT should ask those providers to outline the steps they take to protect the integrity of company data and networks.

What to do if you are a victim

• Immediately contact your bank and initiate a recall.
• Contact your local FBI office.
• File a detailed complaint at http://www.IC3.gov and review additional resources under the “Press Room” link.
• Change email passwords and check your email account for any changes to your mailbox rules, such as Mail Forward, Delete, CC, or BCC.
• Change all e-banking and/or other pertinent passwords, pins, and security questions and answers.