What To Know About Business Email Compromise


As you can imagine, businesses that prioritize ongoing employee education about Business Email Compromise (BEC) are more likely to recognize a BEC scam in progress and halt it before losing money or inappropriately distributing employee or customer personal information (PI). That’s why it’s important to emphasize best practices and implement ongoing training. Protecting your business is a moving target – as new fraud schemes arise, you will need to adjust and add to your protections.

12 Tips To Protect Your Business Email

  • Avoiding free, web-based email accounts such as yahoo.com or gmail.com. Purchase a company domain URL and use it to establish company email accounts.
  • Monitoring content on corporate social media accounts, particularly job duties/descriptions, hierarchal information and out-of-office details.
  • Raising suspicions about requests for secrecy or pressure to take action quickly.
  • Flagging any requests from vendors, payroll processors, suppliers, or customers involving payments that suddenly change instructions, such as asking to route email through a personal email address or payments to a different bank account. Always verify changes outside of the email channel to make sure you are still communicating with your legitimate business partner.
  • Considering additional IT and financial security procedures, including two-step verification. For example:
    • Out-of-band communication: Establish other communication channels, such as telephone calls, to verify significant transactions. Arrange this authentication early outside the email environment to avoid interception by a hacker.
    • Encryption: Entities on both sides of a transaction should utilize encryption which provides a layer of validation and security to messages sent through otherwise non-secure channels such as email systems.
    • Delete spam: Immediately delete unsolicited email. Do not open it, click on it, click on links, or open attachments. These often contain malware that can do harm to your computer system or steal information.
    • Forward vs. reply: Do not use the “Reply” option to respond to business emails. Use the “Forward” option and type in the email address or select it from the email address book to remove the risk of replying to a look-alike email address.
    • Consider implementing two-factor authentication for corporate email accounts, which requires two pieces of information to log in, such as a password and a dynamic PIN or code.
  • Enacting rules that flag emails with extensions similar to company email. For example, legitimate email of xyz_company.com would flag fraudulent email of xyz-company.com.
  • Registering all company domains that are slight variations on your actual company domain so criminals can’t purchase them to commit fraud.
  • Verifying changes in vendor payment by adding two-factor authentication, such as a secondary sign-off outside email from specially designated personnel.
  • Confirming requests for fund transfers. When using phone verification as part of the two-factor authentication, use previously known numbers, not numbers written in a potentially fraudulent email.
  • Paying attention to your customers’ routines, including the details and amount of payments.
  • Scrutinizing all emailed fund transfers to determine if they’re at all out of the ordinary.
  • First Business Bank will never initiate a request for personal information from you (i.e. social security number, personal login ID, password, PIN, or account number) through an unsolicited email message or phone call. Learn more about how we protect your information in our Security Center.

What To Do If You Are A Victim

If you determine your business is the latest victim of a BEC scam, act quickly.

  • Contact your financial institution immediately. As a First Business client, please contact your account representative.
  • Contact your local FBI office if the wire is recent. The FBI, working with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
  • File a complaint, regardless of monetary loss, at IC3.gov. Be prepared to offer the following information:
  • IP and/or email address of fraudulent email
  • Date and time of incidents
  • Incorrectly formatted invoices or letterheads
  • Requests for secrecy or immediate action
  • Unusual timing, requests, or wording of the fraudulent phone calls or emails
  • Phone numbers of the fraudulent phone calls
  • Description of any phone contact to include frequency and timing of calls
  • Foreign accents of the callers
  • Poorly worded or grammatically incorrect emails
  • Reports of any previous email phishing activity

When you contact law enforcement or file a complaint, label your incident as “BEC,” provide a brief description, and consider providing the following financial information:

  • Originating Name
  • Originating Location
  • Originating Bank Name
  • Originating Bank Account Number
  • Recipient Name
  • Recipient Bank Name
  • Recipient Bank Account Number
  • Recipient Bank Location (if available)
  • Intermediary Bank Name (if available)
  • SWIFT Number
  • Date
  • Amount of Transaction