Business Email Compromise Scams Target Sophisticated Businesses

Fraud and Security

Fraud and Security Alerts


Back to Fraud and Security Alerts
SECURITY THREAT

Business Email Compromise Scams Target Sophisticated Businesses

The FBI recently identified an uptick in Business Email Compromise (BEC) scams targeting legitimate businesses. These are sophisticated scams that use the name and correct email address of a current employee to “legitimize” the request. The criminal is able to gain access to a company network and steal money with the help of an unwitting accomplice, an employee who is fooled into submitting a wire request with the fraudster as the beneficiary. Often these scams will coincide with a request to transfer funds, make supplier payments or submit an internal wire request to a named senior executive at the company. From the perspective of the company’s financial institution, the transaction appears to be completely legitimate. Even confirmation calls or other authentication will reach the employee who did indeed submit the request.


Several variations of the BEC scam have been reported. Corporate CFOs, finance, accounting and accounts payable teams, as well as legal firms, should be wary. Any request for funds transfer (even internal ones) should be fully vetted, usually with a quick phone call to the named originator. If it is a request from an external party, reach out to that individual using a known trusted phone number and refrain from using any contact information (i.e. email or phone number) provided in the email itself. When handling an international wire transfer, you should use extra caution when vetting the request. Once executed, overseas wires are extremely difficult to recall.

We recommend the following to help protect you and your business from becoming victims of a BEC scam:

  • Avoid free web-based email services. Establish a company website domain and use it to conduct company business in lieu of a free, web-based account.
  • Be careful what is posted onto social media and company websites. You should be especially careful not to post specifics such as job duties/descriptions, hierarchal information and out-of-town travel details.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Add a two-step verification process to your standard operating procedures. Early on in a business relationship (primarily with international vendor partners) arrange for a two-step authentication process that everyone follows to avoid interception by a hacker.
  • Forward vs. Reply. Do not use the “Reply” option when responding to business emails (especially emails requesting a wire transfer). Instead, use the “Forward” options and either type in the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used, or pick up the phone and call the party requesting the wire from a previously known phone number to verify and confirm the request.
  • Delete unsolicited spam email. It is a best practice to immediately delete unsolicited (spam) email from unknown parties. These emails often contain malware that, when executed, will give criminals access to your computer system. With hyperlinks in particular, hover over a link to identify its origin. Take the time to verify that the original URL is the official site of the organization/company. Often cyber criminals will register domains that are similar but contain a few different characters. 

 Opening malicious links or attachments remains the easiest way for someone to infect a workstation and internal network.  For more on information security, visit Pinnacle’s Fraud and Security Center.

Quick Links