Business Email Compromise: A Big Problem

Your Business is Worth Protecting from Email Compromise

Business email compromise (BEC) is rampant. According to the Federal Bureau of Investigation, BEC fraud has rapidly increased since 2019 and has caused $43 billion in actual and attempted losses globally.

Unlike typical scams, business email compromise can really pack a punch, with a median cost of $764,000—significantly more expensive than other social engineering losses, which average $580,000, according to Advisen loss data.

Here’s how it works.

  1. Thieves hack a key email account, one from either your company or your supplier.
  2. They monitor it for days or even weeks to learn and copy your business processes and forms.
  3. They put together a very convincing email and invoice and send it from the compromised account or one that looks a lot like it.
  4. They send it to exactly the right person at your company – remember, they’ve been monitoring your processes and know how invoices flow in and out.
  5. That person sends it to the finance team, which pays the fake invoice and sends money (and valuable account information) to the scammer.

It’s become a BIG problem for businesses of all sizes, but particularly small businesses that may not have sufficient protections in place and cannot absorb cash losses.

What can you do?
The easiest steps to protect against BEC are things you can build into your daily routine and make a habit of doing.

  • Always double check the domain name on email addresses that asks for a wire transfer or other payment. For example, let’s say you have a supplier called Medco LLC. Email addresses from this company should end in “,” but a scammer could easily create an address that ends in “” That slight switch might not be caught at first glance, but if you look at it for just another second or two, it’s clearly false.
  • Bank associates often call clients to confirm wire requests, but that step doesn’t help if you automatically say “Yes” to every confirmation call. Take each call seriously and use it as an opportunity to double check the request and make sure it’s legitimate.

Here are additional steps you can take to protect your company from BEC:

  • Require your employees to complete annual training on what business email compromise is, the potential for damage to the business and ways to protect themselves and the company.
  • Avoid free, web-based email. Instead, create a company website domain and use it to establish company email accounts.
  • Be careful of what is posted to social media and company websites, especially job duties and descriptions, hierarchal information and out-of-office details. Don’t make it easy for scammers to learn your processes.
  • Be suspicious of requests for secrecy or pressure to take action quickly.
  • Consider additional IT and financial security procedures and two-step verification processes.
  • Beware of sudden changes in business practices. For example, take notice if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been via their company email.
  • Always verify through other channels that you are communicating with your legitimate business partner. That means using a phone number you know – not one given in the email – and not replying to the suspicious message.

If you have questions about how business email compromise happens or how you can prevent it, Pinnacle’s information security, treasury management and small business support teams can help.

Please call our Client Service Center at 877-380.0654 and ask to speak with one of the experts in these areas.


Quick Links