Cyber financial fraud is rising, costing companies billions annually. Business email compromise (BEC) scams are cybercrimes committed via hacked or fraudulent email accounts. Fraudsters target companies or individuals to steal money or critical information via ACH or wire transfer. Common BEC schemes include the following.
- Change in instructions: Fraudsters pose as legitimate payees and request payment be sent to a new bank account.
- Employee payroll: Fraudsters pose as existing employees and send “updated” payroll instructions.
- CEO/executive: Fraudsters pose as the CEO or executive, then email employees to make a purchase or send money via wire transfer. They often ask employees to purchase gift cards and provide the card numbers.
- New customer/client: Fraudsters pose as new customers, then pay the business using a fraudulent check or stolen funds. Once the business receives payment, the fraudster requests the business forward funds to another payee or return the funds due to a payment issue.
BEC is an intimidating challenge for business owners. Fortunately, there are some red flags you can spot to detect attempted BEC – and best practices you can use to prevent it. If you spot these red flags, contact the requestor via phone to verbally verify.
- Sense of urgency: The email pressures you to act quickly without thinking it through. You might receive multiple emails in a short amount of time.
- Email changes: The email address is slightly different than the legitimate email.
- Unable to reach: The requestor is in meetings, traveling, or otherwise unavailable except via email.
- Changes in habits: The requestor uses different language or grammar habits than the sender's typical language.
- Secrecy: The requestor insists that the matter remain private or that standard processing procedures are avoided.
- Out of pattern: The emails request information or payments differently from the “norm.”
Prevent Business Email Compromise with These Best Practices
- Use a known contact: Always verify instructions at a known phone number with a known contact. Use a documented process to verbally verify any new or changed instructions. Never rely on contact details provided within an email.
- Implement multi-factor authentication (MFA): Use when and where available.
- Set up dual control: Establish a process for one person to enter instructions and another to verify payments before processing.
- Educate the team: Teach employees, vendors, and customers about BEC's risks and red flags.
- Use dynamic, varying credentials: Change login information often.
- Stop, think, and slow down: Fraudsters rely on a sense of urgency and pressure associated with processing financial transactions. Slow down and be sure of what’s being submitted.
- Enroll in fraud protection: Take advantage of fraud protection programs through Horizon.
What to Do if You Experience Business Email Compromise
If you suspect or experience BEC, follow these steps:
- Contact the bank to initiate the reversal and/or recovery process or report attempted BEC. Note: Neither reversal nor recovery is guaranteed.
- Change online account login credentials.
- Contact a trusted IT company to scan systems and computers for malware and to clean all network devices.
- Contact law enforcement and/or your insurance company to report the potential loss.
- File a complaint with the Internet Crime Complaint Center.
- Work with Horizon to determine any other potential BEC incidences and safeguard accordingly.
You and your team can detect and prevent BEC with these tips. Contact your local branch with any questions or concerns, or call us at 888-873-2640.