Identifying and Avoiding Business Email Compromise (BEC)

The number of phishing attacks that businesses experience is growing every year and there are no indications that it will slow down. However, there are a few things your business can do to prevent a successful phishing attack or minimize its effects. These include:

• Teaching employees how to recognize a phishing attempt.
• Not clicking on links that you are not expecting. Instead, hover over them to view the URL and confirm the website is where you want to go.
• If a customer asks to change billing type or information, verify the request first by using good known methods of contact.
• Protect your passwords. Create strong passwords and keep them secret. Use multi-factor authentication when possible.

Following these steps can reduce the number and severity of cybersecurity incidents at your business.

What is BEC?

All businesses heavily rely on email communication to conduct daily functions, which puts them at risk of falling victim to business email compromise (BEC). BEC is a form of social engineering — when a cybercriminal gains access to a business email account and uses manipulative techniques to trick you into providing confidential information or sending money. Cybercriminals count on employees trusting that all email communications that look like they are from a vendor, co-workers, and customers are valid.

Over the past few years, BEC has cost businesses billions of dollars, which is why it’s crucial that employees be aware of risks, slow down when processing emails, and understand how to verify requests.

How BEC occurs

BEC occurs when a cybercriminal gains access to an email account or spoofs an email address to impersonate the sender. The cybercriminal sends an email to you as that person and asks for confidential information or for you to process a payment, click a link, or open an attachment. If you do one of those things, you may be sending money to the cybercriminal or allowing them access to your information or computer.

Here's what it can look like to receive an email from a compromised account.

From a customer or vendor

• John has been communicating through email about legitimate business with a legitimate customer named Sarah. Several weeks later, John gets an email from Sarah in the same conversation thread with a link to download a business file.
• The email is from Sarah’s legitimate email address, but the email is not from Sarah. A cybercriminal has gained access to her email account.
• The cybercriminal went through Sarah’s communications, found the conversation with John, and sent an email pretending to be Sarah.
• John knows he should be wary of attachments and links, even if the communication looks like it’s from someone he knows.
• Instead of downloading the file, John contacts Sarah using a phone number he knows is legitimate. Sarah tells him that her email has been compromised and that he was right to not click on the attachment.

From your CEO

• Jason receives an email claiming to be from his CEO, Bob, that requests (or demands) Jason to complete a task with a sense of urgency or secrecy.
• Bob includes a link in the email and asks Jason to send him money, provide an account number or credit card number, and complete a financial transaction on behalf of the company.
• Jason has been trained in cybersecurity best practices and is immediately suspicious of the email. He knows if he follows the request and it turns out to be fake, he could be sending money to a scammer or compromising his business’s financial accounts.
• He walks to Bob’s office to confirm the request and learns that Bob did not send the email.

How to recognize social engineering

Cybercriminals are getting better at creating seamless communications that look like they are from someone you know or a business you recognize. It can be helpful to read through our article on social engineering and keep the following in mind:

• Look for spelling and grammar mistakes. With the rise of artificial intelligence (AI), it’s becoming harder to spot phishing emails based solely on spelling and grammar. However, not all cybercriminals use AI, so looking for spelling and grammar mistakes can still be a helpful way to potentially identify a phishing attempt.
• Watch for unexpected links or attachments. Hover your mouse over (but do not click) the link to see if the URL address matches the link that was typed in the message. If the URL or the attached file is something you don’t recognize or you are not expecting, don’t click it.
• Be wary of urgency or threats. Be suspicious of emails that claim you must immediately click, call, or open an attachment. The scammer is hoping the urgent tone will cause you to click or act without taking time to verify the request.
• Verify the sender’s email address. If you do not recognize the email address, or if the domain is from a public email provider and not from a company domain, be cautious of the email. Do not reply directly to the email or call the phone number listed in the email. If you know the sender or their business, verify their phone number using a legitimate source and call to ask if they sent the email.

How to protect your business

Be cautious of communications you receive that ask you to take an action, especially the following:

• Sending credit card or account information.
• Changing of payment information including a vendor payee.
• Resending payment because the original payment has failed.
• Making an urgent and overdue payment.
• Urging you to click a link to an unfamiliar site.

Before you do anything, verify the request with the sender by calling a phone number you know is legitimate or speaking with the requestor in person. Do not call any phone numbers listed in the email you received. Instead, look up a known number for the requestor’s company.

As your banking partner, we are dedicated to the success of your business — both through the business banking products we offer and the information we provide to help you keep your business safe. Visit our Security Center to learn more.