Business Email Compromise

Being knowledgeable about security is the best deterrent against fraud. Consider these tips on identifying and avoiding complex email scams targeting businesses today.  

• CEO Impersonation: A fraudster impersonates a CEO, CFO, or another executive of a company by creating a fake email address that often looks legitimate or by hacking a real user’s account. Using this email address, they ask an employee to transfer funds to a bank account controlled by the fraudster.
• Account Compromise: An employee of a company has their email address compromised. The account is then used to request, initiate, or authorize the transfer of funds to a bank account controlled by the fraudster.
• False Invoice Scheme: A fraudster pretends to be a supplier by compromising the supplier’s email system or sending a spoofed email on behalf of a supplier. They use the account to request fraudulent payments or change payment instructions.
• Attorney Impersonation: A fraudster claims to be an attorney and issues a fraudulent request warning of the consequences of noncompliance, including the prospect of litigation. Employees at lower levels are commonly targeted with this scheme.
• W-2 Form and Other Data Theft: A fraudster targets a company’s HR department to obtain an employee’s W-2 tax form or other personally identifiable information, which can then be leveraged in a future attack. Executives are frequently targeted in this type of scheme.

Although these are commonly used schemes, fraudsters use many tactics. This is not an exhaustive list of all BEC scams one might encounter. 

Spotting BEC scams before losses are incurred can be as simple as knowing what to look for. Malicious emails may often contain strange phrases, syntax, fonts, date formats, misspellings in the domain or name of the purported sender. The FBI outlined a few indicators that should draw suspicion:

• Unexplained urgency.
• Last-minute changes in payment instructions or recipient account information.
• Last-minute changes in established communication platforms or email account addresses.
  
• Communications only in email and refusal to communicate via telephone or online voice or video platforms.
• Requests for advance payment of services when not previously required.
  
• Requests from employees to change direct deposit information.
• Strange requests to do something outside of the approved policy or procedure. 

Help combat email compromise scams by becoming familiar with the various tactics and taking precautions before and after you receive payment requests. 

Create company policies: 

• Contact the sender to verify they sent the email 
• Validate payment instructions with the details you have on file 
• Implement multiple approvals for large remittance amounts 
• Establish approval protocols when executives initiate a transaction 
• Set checks and balances 

Ensure employees understand how to decipher fraudulent emails and URLS. 

• Do all the details in the email match what you have on file? 

Supply employees with instructions if they suspect or experience fraud.

• It’s important to act quickly. If your business is targeted, remember to alert your IT department and Amegy Bank immediately, and file a complaint with the FBI Internet Crime Complaint Center (IC3). 

Integrate prevention strategies with a combination of technical and non-technical security controls.  

• Build in system controls within the IT portion of your business to map existing workflows for ACH and wire payments. Identify weaknesses that could expose you to risk.