Business Email Compromise

Business Email Compromise (BEC), also known as Email Account Compromise (EAC), is one of the most financially damaging online crimes. It exploits the fact that many rely on email to conduct personal and professional business. The end goal of this compromise is to redirect legitimate funds such as payroll deposits, invoice payments, wire transfers, and other payment methods to thieves.

How Criminals Carry Out BEC Scams

• Spoof an email account or website. Slight variations on legitimate
  addresses (john.kelly@company.com vs. john.kelley@company.com) fool
  victims into thinking fake accounts are authentic.
• Send spear-phishing emails. These messages look like they are from a trusted sender and trick victims into revealing confidential information. Letting criminals access company accounts, calendars, and data needed to carry out the BEC schemes.
• Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages so accountants or financial officers don't question payment requests.

BEC Scam Examples

An invoice comes from a vendor you deal with regularly, but their mailing address is new. Your CEO emails you asking you to purchase dozens of gift cards and provide them with the serial numbers to send out as employee rewards. You receive an email from your title company with instructions on how to start wiring your down payment. Versions of these scenarios happened to real victims. In each case, criminals received anywhere from thousands to hundreds of thousands of dollars.

How to Report

If you or your company fall victim to a BEC scam, it’s important to act quickly!

• Contact your financial institution immediately and request that they contact the institution where the transfer was sent.
• Contact your local FBI field office to report the crime.
• File a complaint with the FBI's Internet Crime Complaint Center (IC3).

How to Protect Yourself

Be careful with what information you share online and on social media. Don’t click on anything in an unsolicited email or text message asking you to update or verify account information especially if the requestor is pressing you to act quickly. Carefully examine the email address, URL, and spelling used in any correspondence. Be careful what you download and be wary of email attachments forwarded to you. Verify payment and purchase requests in person or by calling the person to make sure it is legitimate. Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.

Information from fbi.gov