How to Avoid Business Email Compromise (BEC) Scams

Two online scams are targeting both individuals and companies in a crime that’s duping innocent victims out of billions of dollars.

These two internet crimes have become so prevalent that law enforcement agencies have given them a name:

  • Business Email Compromise – BEC
  • Email Account Compromise – EAC

Ultimately, these computer intrusion crimes are designed by scammers to conduct the unauthorized transfers of funds. In the end, these fraudsters dupe unsuspecting victims into wiring money as part of a huge criminal enterprise.

The bottom line is that anyone can be a potential victim of these crimes, which are achieved by compromising legitimate email accounts through spoofed email accounts.

While there has been an increase in the number of computer intrusions linked to these scams, raised awareness has helped potential victims detect the scam before sending money to fraudsters.

This article explores the inner workings of the BEC and EAC scam and ways to avoid becoming a victim.

We’ve compiled expert advice from the FBI, FraudWatch International and law enforcement agencies to arm you with information. We also include steps to take if you believe you’ve become a victim of the BEC or EAC scam.

Let’s begin by exploring the BEC scam and how it targets unsuspecting companies and business owners. Then, we’ll discuss the EAC scam, which is very similar to the BEC scam; the only difference between the two is that the EAC scam targets individuals rather than businesses.

With both scams, it all starts with a simple email.

BEC Scams: What They Cost Victims and Who They Target

Law enforcement agencies are warning the public about a dramatic rise in BEC scams, which have resulted in more than $3.1 billion in actual and attempted losses across the globe in the past few years alone.

With the BEC scam, fraudsters usually target a worker who manages money in the finance department and might even target a company attorney, senior staff member or trusted vendor associated with the business.

Typical recipients of the BEC scam include:

  • Accountants
  • Bookkeepers
  • Controllers
  • Real Estate Agents
  • Title Companies
  • Chief Financial Officers
  • Attorneys in the middle of real estate actions

BEC Scams: How They Work

Victims of the BEC scam are not limited to a specific type of business. In fact, criminals are going after both medium and large corporations, small businesses and even nonprofit organizations.

The BEC scam is carried out by cyber criminals that do their research first to find a victim.

These criminals typically go after one common characteristic: the victim’s business works with foreign suppliers or regularly uses wire transfer payments, according to FraudWatch International.

Once these scammers pick a business they want to rip off, they conduct internet research to find the exact names of the Chief Financial Officer or Chief Executive Officer of the company.

These criminals then send a fraudulent email, intending to impersonate the company’s top leaders and try to trick their victim into initiating wire transfers.

“The criminals will usually pose as someone high up in the company such as the CFO or CEO, and it almost always happens when that person is out of town,” noted Special Agent Mark Roberts, who works on the cyber squad in the Salt Lake City Field Office of the FBI.

These scammers rely on the “fear of the boss” mentality because employees most likely won’t ignore a direct order from the person they think is the most important individual with the company.

“Employees usually feel obligated to comply with anything their CEO requests, and that is what cyber-criminals put their money on,” FraudWatch International warned.

A scammer also depends on a sense of urgency to successfully carry out this crime. In many cases, the email recipient is made to believe the matter is urgent. And if this person can’t reach a boss or supervisor for a second approval, this employee will most likely fall for the BEC scam.

“Victims may be pressured by the fraudster to act quickly or secretly in handling the transfer of funds,” agreed Detective Timothy Lohman, who solves forgery, fraud and financial crimes in Southern California. “This type of BEC scam may occur at the end of the business day or work week, or be timed to coincide with the close of business of international financial institutions.”

How the BEC Scam Spoofs Legitimate Email Addresses

The BEC scam is initially facilitated through a phishing scam. This is an attempt to acquire personal information through electronic means in which a victim receives an email from a seemingly legitimate source.

Cyber criminals will use several simple – yet highly effective – methods to avoid raising suspicion. The tricks scammers use are subtle, and can easily be overlooked if you’re not paying close attention.

For instance, these scammers will spoof accounts with slight variations in domains and make them appear very similar to authentic accounts. These criminals rely on duping the email recipient with subtle errors that could easily go unnoticed.

Here are two examples provided by the FBI:

  • abc@lawfirm.com versus abc@lawflrm.com
  • john.kelly@abccompany.com versus john.kelley@abccompany.com

This kind of spoofing is also known as typosquatting.

FraudWatch International warns that a typosquatter’s URL will typically fall under one of the following categories – all of which are similar to the website address of an unsuspecting victim. In the following scam examples, the legitimate website is “example.com.”

Here’s how scammer can tweak the URL to make it appear legit at first glance:

  • A misspelling of the intended site: “exemple.com”
  • Typographical errors: “examlpe.com”
  • A differently phrased domain name: “examples.com”
  • A misspelled domain: “example.org”

Now that you’re aware of what to look out for, let’s take a look at a Public Service Announcement created in the form of a video and associated transcripts published by the FBI.

FBI’s Public Service Announcement on Business Email Compromise

The FBI is working diligently to diminish the prevalence of the BEC scam. The following video transcript is based on a hypothetical situation in which an employee receives a spoofed email from a supposed client asking for an urgent money transfer.

This hypothetical scam situation could have easily been avoided with simple verification from the boss. The FBI warns that we must all develop the habit of verifying the authenticity of emailed requests to send money.

Now, let’s discuss eight ways to avoid being a victim of the BEC scam.

How to Avoid Business Email Compromise Scam: 8 Protection Tips  

In a press release published a few months ago by the FBI Boston Division about the dramatic rise in BEC scams, businesses reported using the following eight measures for added protection to avoid becoming a victim:

  1. Create intrusion detection system rules that flag emails with extensions that are similar to the company’s email. For example, the legitimate email of “abc_company.com” would flag the fraudulent e-mail of “abc-company.com”

  2. Create an email rule to flag email communications in which the reply to the email is different than the “from” email address shown.

  3. Color code emails so emails from employees or internal accounts are one color, and emails from non-employees or external accounts are another color.

  4. Verify changes in the vendor payment location by adding two-factor authentication, such as having secondary sign-off by company personnel.

  5. Confirm requests for transfers of funds.

  6. Add new vendors and changing vendor payment information by using phone verification as part of the two-factor authentication. When doing this, use previously known phone numbers, not the numbers provided in the email request.

  7. Forward emails using existing contacts in your address book rather than replying to emails.

  8. Scrutinize all email requests for transfer of funds to determine if the requests are out of the ordinary.

If You’re a Victim of the BEC Scam: 5 Steps to Take

If you’ve become the victim of the BEC scam – especially if funds are already transferred to a fraudulent account – it is important to act quickly, according to Detective Lohman. He advises taking the following five steps:

  1. Contact your financial institution immediately upon discovering the fraudulent transfer.
  2. Request that your financial institution contact the corresponding financial institution where the fraudulent transfer was sent.
  3. If the wire is recent, contact your local FBI office. The FBI, in conjunction with the United States Department of Treasury Financial Crimes Enforcement Network, might be able to help return or freeze the funds.
  4. Notify your local law enforcement agency.
  5. File a complaint, regardless of dollar loss, with the FBI’s Internet Crime Complaint Center at www.IC3.gov.

Filing a complaint to the IC3 involves several important factors. Below are the specifics of what you should include in your complaint.

How to File a Business Email Compromise Complaint

According to the FBI, funds only remain in the initial beneficiary account for a few days before these funds are withdrawn or transferred to another account. While this is not always the case, the FBI might be able to pursue a criminal prosecution.

Here’s what you should include while filing a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov:

  • IP address and email address of fraudulent email
  • Summary of the incident (including date/time)
  • Victim name
  • Victim location (city, state)
  • Victim bank name
  • Victim account number
  • Beneficiary name
  • Beneficiary account number
  • Beneficiary bank location
  • Beneficiary bank name
  • SWIFT/IBAN number
  • Date of transaction
  • Amount of transaction

The FBI also suggests including as many details as possible when filing a complaint. Such details include copies of full email headers from the scammer, as well as copies of the criminal’s request for immediate action or even secrecy. Also, if you’ve received phone calls from the scammer and have records of that caller’s number, include those phone numbers in the complaint.

Now that we’ve looked at the inner workings of the BEC scam, let’s take a look at the EAC scam, which is very similar in its methods. Again, the only difference between the BEC and the EAC is that the latter targets individuals rather than businesses. 

Email Account Compromise Scams: What They Cost Victims and Who They Target

According to a Public Service Announcement published by the FBI, 21 complaints related to the EAC scam were filed with the Internet Crime Complaint Center, with reported losses of almost $700,000. These huge losses were reported within a short amount of time: from April 1 of 2015 through June 30 of 2015.

Overall, the FBI has identified an approximate $14 million in attempted losses that are associated with open EAC investigations.

The EAC scam is very sophisticated and typically targets the general public. In some cases, EAC criminals have targeted individuals through:

  • Employment scams
  • Romance scams
  • Personal loan scams
  • The EAC scam can also target individual professionals associated with:
  • Financial institutions
  • Real estate companies
  • Law firms
  • Lending institutions

According to the FBI, is not yet known why a specific victim is identified as a target. Nevertheless, it’s important to understand how the EAC scam works to avoid becoming a victim, which we cover in the next section.

EAC Scams: How They Work

Criminals involved with the Email Account Compromise scam use what is called “social engineering” or “computer intrusion techniques” in an effort to compromise the email accounts of victims.

First, the scammer gains access to a legitimate email address – but this is only for reconnaissance purposes.

Then, the scammer creates a spoofed email account that appears very similar to the legit account. The spoofed email is altered in subtle ways, typically by adding, deleting or changing only one character.

The goal of the scammer is to mimic the legitimate email in a way that is not readily apparent to the targeted victim. The criminal then uses the email address to initiate money wire transfers.

Funds from these transfers are typically directed to what is called a money mule, which is an individual used to transfer and launder stolen money. In many cases, these money mules receive a portion of the funds transferred as their payment.

But sometimes, these money mules are victims themselves. Such individuals may have fallen for this crime through employment scams, romance scams or personal loan scams.

With victims of the romance scam, for instance, an individual may “fall in love” with someone they meet online. The next thing they know, this person is asking them to wire money, with the promise to pay it back. But once the victim wires the money, they will never hear from the person they met online again.

In order to help diminish the EAC crime, the FBI published a Public Service Announcement with several example scenarios of this scam so the public knows what to look out for.

These scenarios provided by the FBI are listed in the next section, and broken up into three categories that target individual employees associated with financial/brokerage services, real estate companies and legal businesses.

Three Example Scenarios of the EAC Scam: How It Can Affect Individual Employees

1. Financial/Brokerage Services

  • An individual’s email is compromised by a scammer. This criminal, who is posing as the victim, sends an email to the victim’s financial institution or brokerage firm requesting a wire transfer to a person or account.
  • An accounting firm’s email is compromised and used to request a wire transfer from a client’s bank, supposedly on behalf of the client.

2. Real Estate

  • A seller’s or buyer’s email is compromised. The criminal intercepts transactions between the two parties and alters the instructions for the wire transfer of money.
  • A realtor’s email is used to contact an escrow company to redirect commission proceeds to a bank account.
  • A realtor receives a link within an email from an unknown person who is requesting information related to property. When the realtor clicks on the link, the criminal can access the realtor’s email. The intrusion exposes client information, which the scammer then uses to email the clients and attempt to change wire instructions for loan processing proceeds.

3. Legal

  • A criminal compromises an attorney’s email. This intrusion results in exposing client bank account numbers, email addresses, signatures and other confidential information related to pending legal transactions.
  • The attorney’s compromised email account is used to send overlaid wire instructions to a client.
  • A criminal compromises a client’s email, and uses it to request wire transfers from trust fund and escrow accounts managed by the firm.

While these scenarios are scary, there are ways to avoid becoming a victim. The following are six protection tips provided by the FBI that can help you avoid the EAC scam.

How to Avoid Email Account Compromise Scam: 6 Protection Tips

  1. Do not open emails or attachments from somebody you don’t know.
  2. Be cautious of clicking links within emails from people you don’t know.
  3. Be aware of small changes in email addresses that mimic legitimate email addresses.
  4. Question any changes to wire transfer instructions by contacting the involved parties directly through a known avenue.
  5. Have a dual step process in place for wire transfers. This can include verbal communication using a telephone number that is known by both parties.
  6. Be aware of your client’s typical wire transfer activity and question any variations.

If you happen to still fall victim to the EAC scam, the following four tips are recommended by the FBI.

Victims of the EAC Scam: 4 Steps to Follow

  1. Once you’ve discovered a fraudulent money transfer, immediately contact your financial institution.
  2. Contact your local law enforcement agency.
  3. Talk to your banker. Request the bank to connect with the financial institution where the fraudulent money transfer was sent.
  4. File a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov. Be sure to provide all relevant information, and identify that your complaint is related to the EAC scam.

The Bottom Line on Email Compromise Scams

There are ways for businesses and individuals to avoid becoming a victim. These prevention tips include being aware of small changes in email addresses that mimic legitimate email addresses and scrutinizing email requests for transferring money.

Victims of these scams are encouraged to file a complaint with the FBI’s Internet Crime Complaint Center at www.IC3.gov.

Above all, it’s important to educate yourself about the BEC scam and EAC scam to avoid becoming a victim.

Was this article helpful? Read more stories we’ve written on the subject of scams:


Alicia Doyle

An award-winning journalist, Alicia Doyle has covered a range of topics, from crime to sports to special education. With an affinity for human interest stories, she has written thousands of articles about inspirational people, events and organizations that have a positive impact on the community and world at large.


Comments

comments powered by Disqus

Want to Learn Expert Tips for Online Safety?

Join over 3 million HighYa readers who receive weekly how-to guides, tips & reviews and get a FREE COPY of our Complete Online Safety e-book. Enter your email below to get started!