Business Email Compromise: A Big Problem

Business Email Compromise: A Big Problem


Imagine you’re part of the finance team for your company, maybe the controller, CFO or senior accountant. You get an email from another executive, like your CEO, CTO or COO, asking you to wire money to a supplier or partner on short notice. You can’t call them right now because they’re traveling, and they said in the email they’d be unavailable. 

Everything seems on the up and up. They’re using the correct internal format, and they’ve attached the supplier’s invoice on official letterhead. You even have a good looking signature on the initial request.

On paper, you have everything you need to process the request according to your internal policies. What should you do next?

A. Forward the wire request to your bank’s financial advisor and authorize the funds transfer.

B. Call the supplier using the number listed on the attached invoice to confirm the request.

C. Reply to the email to ask for additional confirmation of the request from the executive.

D. Call or text the executive on a personal cell number to confirm the request – regardless of availability – and ask specific questions about the supplier. Also ask to verify any original communication she received with the initial request.

E. Both C and D.

Answer: D only. This is a typical example of a scam called “business email compromise” (or BEC). Here’s how it works.

  1. Thieves compromise an email account, one from either your company or your supplier.
  2. They monitor it for days or even weeks to learn and copy your businesses processes and forms.
  3. They put together a very convincing email and invoice and send it from the compromised account or one that looks a lot like it.
  4. They send it to exactly the right person at your company – remember, they’ve been monitoring your processes and know how invoices flow in and out.
  5. That person sends it to the finance team who pay the fake invoice and send money (and valuable account information) to the scammer.

It’s become a BIG problem for businesses of all sizes, but particularly small businesses that may not have sufficient protections in place and cannot absorb cash losses. Cybercrime was a $26 billion business by July 2019, and it is expected to hit $6 trillion by the end of 2021.

What can you do?
The easiest steps to protect against BEC are things you can build into your daily routine and make a habit of doing.

  • Always double check the domain name on email addresses that ask for a wire transfer. For example, let’s say you have a supplier called Medco LLC. Email addresses from this company should end in “,” but a scammer could easily create an address that ends in “” That slight switch might not be caught at first glance, but if you look at it for just another second or two, it’s clearly false.
  • Bank associates often call clients to confirm wire requests, but that step doesn’t help if you automatically say “Yes” to every confirmation call. Take each call seriously and use it as an opportunity to double check the request and make sure it’s legitimate.

Here are additional steps you can take to protect your company from BEC:

  • Avoid free web-based email. Instead, create a company website domain and use it to establish company email accounts.
  • Be careful of what is posted to social media and company websites, especially job duties and descriptions, hierarchal information and out-of-office details. Don’t make it easy for scammers to learn your processes.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures and two-step verification processes.
  • Beware of sudden changes in business practices. For example, take notice if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been via their company email. Always verify through other channels that you are communicating with your legitimate business partner. That means using a phone number you know – not one given in the email – and not replying to the suspicious message.

If you have questions about how business email compromise happens or how you can prevent it, Pinnacle’s information security and treasury management support teams can help. Please call our Client Service Center at 800.264.3613 (in Tennessee) or 800.262.7175 (in the Carolinas and Virginia) and ask to speak with one of the experts in these areas.

Quick Links