Tips to Avoid Business Email Compromise Scams

What is an email compromise scam? If you ever have received a suspicious business email or phone call requesting funds, it could be a compromise scam, and you are not alone. According to the Internet Crime Complaint Center, 7,066 U.S. businesses were defrauded over 747 million dollars from October of 2013 to August of 2015 through email scams. How do you protect yourself against fraudulent emails, wire transfer attempts, and requests for sensitive information that could put your business at risk?

The following are some best practices from FBI alerts and financial institutions. By utilizing these tips below, you can help protect your business and reduce the risk of being targeted by fraudsters.

What to look for to avoid email scams:

• Is the request consistent with how earlier wire payments have been requested? Be wary of who the request is coming from, if they are out of the office, and what is included in the request. Is the payment consistent with earlier wire payments – including the timing, frequency, recipient, and country to which prior wires have been sent?

• Be suspicious of requests for secrecy or urgency, and of emails that request all correspondence stay within the same email thread, such as only use Reply, not Forward.

• Use a company email domains instead of using open source email services such as Gmail.

• Look carefully for small changes in email addresses that mimic legitimate email addresses. For example, .co vs. .com. Do not open suspicious emails, it may be a fraudulent email.

• If the request is from a vendor, check for changes to business practices, such as how invoices were received.

Confirming Requests:

Use an alternate communication methods to business email to verify the identity of the person requesting the funds transfer. Call a known phone number to get a verbal confirmation, or confirm a call with an email to a known address.
While many people may be hesitant to question what appears to be a legitimate email from their boss or the CEO, consider what would happen if it was an email scam.
Implement dual approvals for financial transactions. Develop written procedures and be sure to always follow them.
Use a purchase order model for wire transfers to ensure that all payments have an order reference number that can be verified before approval. Limit the number of employees who have the authority to submit or approve wire transfers.
For employees that frequently travel and are authorized to request funds transfers, develop a special way to confirm requests, like a coding system.

Educating Your Coworkers:

Spread the word to your employees about this type of fraud and business email compromise and the warning signs, and encourage employees to ask questions.
Do not post sensitive information on social media and company websites.
Fraudsters gain an advantage by pressuring employees to take action quickly without confirmation of all the facts. Be suspicious of business fraud in requests to take action quickly.
Trust your financial institution. If they question a payment, it’s worth a couple minutes to cooperate with them to confirm it’s legitimate.

What to do if You Detect a Business Email Compromise Scam

1. Report the Attack

If your business is a victim of email scams or fraud, you can file a report with the Internet Crime Complaint Center at www.IC3.gov or contact your local FBI office. You should also report the attack to your financial institution. Financial institutions and law enforcement have a better chance of recovering the stolen funds, even if the funds were sent internationally if notified immediately.

When reporting the incident, identify the complaint as “Business Email Compromise” or “BEC” and provide:

A general description of this crime, how and when it occurred. Also include details on when and how you believe you were defrauded.
The original internal funds transfer email, along with the specific wiring instructions, including beneficiary and account details for where the transfer was to be sent.
Attempted and actual loss amounts

Keep all original documentation, emails, and all other forms of communication. You will not be able to add or upload attachments with your IC3 complaint if it’s filed online. Retain all relevant information in case you are contacted by law enforcement.

2. Complete an Internal Review

If you are a victim of a business email scam, we encourage you to conduct an internal review to determine how the attack occurred and if changes are needed.