Guard Against Business Email Compromise Scams

A few months after transferring $650,000 to a charitable organization for a low-income housing project in 2021, a nonprofit organization was informed that the intended recipient never received the funds. The nonprofit group subsequently learned it had been conned. Hackers had stolen a legitimate invoice and changed the bank routing number to an account they controlled.

That scam is an example of a rapidly growing type of fraud known as business email compromise (BEC). In BEC attacks, malicious actors impersonate trusted executives, employees, partners or suppliers to try and trick their victims into sending money or divulging confidential information. The FBI estimates that organizations have lost $43 billion to BEC attacks since 2016.

Although BEC attacks usually occur via spoofed email, the FBI warns that criminals have recently begun to target people with text messages and virtual meeting platforms. The simple nature of BEC attacks makes them effective — they don’t involve malware or code that would trigger content filters or network security measures. They just exploit a victim’s trust.

Here are four ways you can guard against BEC attacks:

• Be wary of urgent requests even if they appear to be from the boss — particularly if they involve money. Red flags include requests for rush payments due to an impending deadline, intimidation tactics, excessive flattery, or claims that the request has been approved by a higher authority.

• Require verification of any requested financial transactions received by email or text through a different communication channel, ideally by phone or in person.

• To verify requests by phone, don’t use numbers provided in emails or texts. Look up the number on your own.

• Double check the sender’s identification. Examine email headers and text message sender IDs to ensure they match the business or person purportedly contacting you.