One of the most financially damaging scams could be sitting right inside your inbox.
The FBI reported more than 21,000 complaints of Business Email Compromise (or BEC) in 2022 resulting in estimated losses of $2.7 billion to consumers.
How does a Business Email Compromise scam work? BEC scams often involve an email that appears to be coming from a trusted source making a legitimate request.
Consider this scenario – an email from your boss pops up in your inbox. Your boss is asking you to purchase 10 gift cards to give to employees as a reward. But the task is a high priority. Your boss asks you to purchase the cards right away and send her the serial numbers so she can email them to employees to begin using.
Or this scenario – you receive an email from a company you use regularly for work at your business. The email contains an invoice with a new mailing address for the company. The invoice is marked “overdue” and the company requests payment immediately to avoid an additional charge.
One more – the head of Human Resources at your organization sends you an email requesting you resubmit your direct deposit information before payday on Friday. HR claims the information was recently lost in a software update and if you don’t fill out your bank account information, you won’t be paid this week.
Check your gut. Something feels off in these scenarios, right? Why would your boss ask for gift cards? When did a vendor you know and use often change their address? And how does banking account information just go missing from your payroll provider? Most of all – why are each of these requests so urgent?
Versions of these scenarios happen all the time (more than 20,000 times a year!). So, how do scammers make them look legitimate?
- Scammers spoof a known email account or website. Scammers will create a slight variation of a legitimate email address to fool victims into trusting the account. For example: johnschmidt@yourcompany.com vs johnshmidt@yourcompany.com. The difference is small, but important.
- Scammers send spearphishing emails. Spearphishing messages appear to be from trusted sources and attempt to trick victims into revealing confidential information. This information may give the scammer access to personal or company accounts or data that gives them details to carry out their fraudulent plans.
- Scammers use malware to gain undetected access to confidential information. Malicious software can be used to gain access to passwords, financial account information or company networks to access legitimate email threads about billing or invoices. Scammers can then use the information they find to request payment from accountants or other financial officers.
Yikes!
So, what can you do about it? How can you prevent your personal or company information from falling victim to a Business Email Compromise scam?
Let’s ask the experts. The FBI offers seven tips to protect against BEC.
- Be careful what information you share online or on social media. By openly sharing pet names, schools you attended, links to family members or even your birthday, you give scammers lots of information to guess your password or answer security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own and call the company to ask if the request is legitimate.
- Carefully examine the email address, URL and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain trust.
- Be careful what you download. Never open an email attachment from someone you don’t know. Be wary of email attachments forwarded to you.
- Set up multi-factor authentication on any account that allows it.
- Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
- Be especially careful if the requestor is pressing you to act quickly.
For more information visit: Business Email Compromise — FBI