Securing Payments: Guarding Against Business Email Compromise

As electronic payment processing experts, we want to help you understand the scams targeting businesses like yours using the payment methods you use daily. One of those scams is called a business email compromise (BEC).

What is a Business Email Compromise Scam?

Email account compromise, cyber-enabled financial fraud, email spoofing, account takeovers – there are many names for BEC scams, but they all “compromise” one thing: a business email.

BEC, a form of cybercrime, involves attackers posing as a genuine business via email in order to deceive and swindle another business. 

These scams can involve:

  • Wire transfers
  • ACH payments
  • Diverting payroll direct deposits
  • Gift card purchases

Who Do BEC Scams Target? 

Bad actors typically target companies that handle large financial transactions, have complex supply chain networks, utilize vendors or suppliers, or have confidential and sensitive data, such as law firms, real estate companies, healthcare providers, educational institutions, manufacturing and supply chain companies, retailers, financial institutions, energy and utility companies, government agencies, and even non-profit organizations. 

In short, BEC scams can affect businesses in multiple industries and verticals of all sizes, from small businesses to global corporations. 

Within those companies, threat actors target CEOs and CFOs; employees in the HR, IT, legal, or finance departments; and executive assistants. The common theme among these roles is the access to sensitive data or the ability to transfer large amounts of money on behalf of the business. 

Common BEC Tactics Used by Cybercriminals

Cybercriminals resort to an array of methods in BEC scams with the intention of duping individuals and organizations. These strategies aim to manipulate recipients into carrying out actions that favor scammers, often involving deceitful financial transactions or the divulgence of sensitive data. A few prevalent tactics in BEC scams are:

  • Email Impersonation: Fraudsters assume the identities of trusted individuals or entities within an organization, such as the CEO, CFO, or vendors. They craft emails that seem to originate from these sources in order to deceive recipients.
  • Spoofed Email Addresses: Cybercriminals frequently employ email spoofing techniques to create the illusion that their emails are sent from legitimate sources by manipulating the sender’s email address.
  • Spear Phishing: BEC attacks often target specific individuals and may contain personalized information about the recipient or organization, enhancing their credibility.
  • Invoice Tampering: Scammers intercept genuine invoices and modify payment details to redirect funds to fraudulent accounts.
  • Executive Fraud: In CEO fraud scenarios, scammers impersonate high-ranking executives and urgently request fund transfers or sensitive information.
  • False Payroll Modifications: Cybercriminals may request alterations to an employee’s direct deposit information with the intention of rerouting their salary to a fraudulent account.
  • Lawyer Impersonation: Scammers pose as legal professionals or attorneys and urge recipients to make legal payments or divulge confidential information.
  • Vendor Impersonation: Scammers pretend to be vendors, suppliers, or service providers and ask for changes to payment details or immediate payments for goods or services.
  • Gift Card Scams: BEC scammers may demand the purchase of gift cards and provide false justifications, stating it’s for an urgent business matter.
  • W-2 Scams: During tax season, scammers may request copies of employee W-2 forms, which contain sensitive personal information.
  • Whaling: In this variation of BEC, scammers target high-ranking executives like CEOs or CFOs and demand significant financial transactions or confidential data.
  • Credential Theft: Scammers send phishing emails with fraudulent login pages to steal login credentials that they can later use to compromise email accounts.
  • Spoofed Domains: Cybercriminals register domains that closely resemble legitimate ones and utilize them to send deceptive emails, tricking recipients into believing the messages are authentic.
  • Vendor Email Compromise: By infiltrating the email accounts of vendors or suppliers, scammers can manipulate communications, invoice payments, and more.
  • Account Takeover: Hackers gain access to a corporate email account and then proceed to request and divert funds. 
  • Social Engineering: Scammers employ psychological manipulation to build trust and persuade recipients into carrying out their requests.
  • Off-Hours Requests: Scammers send emails outside regular working hours to make it more difficult for recipients to verify the request with colleagues.
  • Real-Time Conversations: Certain assailants partake in live email or chat exchanges to manipulate recipients and coerce them into making prompt payments.
  • Pressing or Intimidating Language: Scammers utilize urgent language, threats, or a sense of urgency to coerce recipients into taking swift action, such as making payments or transferring funds.

Warning Signs of a BEC Scam

Because legitimate business transactions occur via email, too, it’s important to understand the warning signs of a BEC scam, including:

  • Time-Sensitive: Typically, a BEC scam involves an unusual and urgent email that contains a payment request. 
  • Change in Payment Details: The bank account or invoice details change in a recurring transaction.
  • Misspellings: The email address, domain, or email content has spelling and grammar errors.
  • Multiple Requests for Gift Cards: You receive repeated requests for gift card purchases without providing legitimate business justification.
  • Invoice Discrepancies: Finding discrepancies in invoices that do not align with previous transactions with a specific vendor.
  • Unexpected Tax-Related Requests: You receive unexpected requests for tax-related information, such as W-2 forms.
  • Inconsistent Signatures: The sender’s email signature does not match their email signature from previous communications.
  • No Email Security Measures: You detect the lack of appropriate email security protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance).

How to Protect Your Business Against BEC Scams

To protect your business from BEC scams, it is essential to combine cybersecurity measures, employee training, and best practices. Here are some practical ways you can safeguard your business against BEC scams:

  • Strengthen Email Security: Utilize email authentication protocols such as DMARC to prevent email spoofing. Additionally, enable email filtering and anti-phishing solutions that can identify and block suspicious emails.
  • Establish Verification Procedures: Implement a stringent policy that requires verification for any financial transaction or sensitive information request received via email. Encourage employees to confirm such requests using trusted contact information before taking any action.
  • Educate Employees: Conduct regular cybersecurity training programs for all staff members. Teach them to recognize common warning signs of BEC scams and emphasize the importance of verifying unusual or financial requests through alternative communication channels, such as phone calls.
  • Implement Multi-Factor Authentication (MFA): Make MFA mandatory for both email accounts and sensitive systems. This additional layer of security helps prevent unauthorized access.
  • Limit Access to Sensitive Information: Restrict access to financial systems and sensitive data only to employees who require it for their specific roles.
  • Email Whitelisting: Establish an approved list of contacts and domains for emails so that only trusted senders can communicate with your organization.
  • Financial Controls: Implement measures within your organization that ensure multiple levels of review are conducted before approving any financial transactions.
  • Cybersecurity Policies: Create strong policies and procedures regarding cybersecurity, including rules about passwords, data encryption, and how data should be handled.
  • Monitor Financial Transactions: Regularly check financial transactions for any unusual activity or signs of suspicious behavior.
  • Vendor and Supplier Verification: Verify the legitimacy of vendors, suppliers, or service providers you work with by confirming their contact information and payment details.
  • Secure Email Communication: Use encryption to protect sensitive email communications, especially when discussing financial matters or sharing sensitive information.
  • Incident Response Plan: Develop a plan that outlines the steps to be taken in case of a security breach or suspected BEC scam.
  • Regularly Update Software and Systems: Keep all software, systems, and antivirus programs up to date to fix any known vulnerabilities.
  • Domain Monitoring: Monitor domain registrations and variations of your company’s domain name to identify potential fake domains.
  • Employee Authorization Process: Ensure employees follow a formalized process for authorizing financial requests, and document and verify any changes made regarding payees.
  • Fraud Alert System: Implement a transparent and user-friendly system for employees to report any suspicions of BEC scams or phishing attacks. 
  • Cross-Department Collaboration: Foster collaboration between legal and IT teams to create and enforce cybersecurity policies, evaluate risks, and handle potential BEC threats. 
  • Periodic Evaluate Security Measures: Regularly conduct security audits and assessments to pinpoint any flaws or vulnerabilities in your organization’s cybersecurity protocols.

Be Proactive with ReliaFund

Proactive measures against BEC scams are crucial in protecting your business from financial losses and reputational damage. In addition to learning how to identify and protect your business from BEC scams, organizations can significantly reduce the risk of falling victim to these scams by having the right payment processing services in place. 

Our payment processing services help you monitor transaction activity from origination to deposit and reconciliation from one easy-to-use dashboard, helping you identify any discrepancies. We can help you streamline your financial operations while saving you valuable time and resources. 

With ReliaFund, you’ll be able to promptly address any issues that arise, minimizing potential disruptions to your business, enhancing transparency and visibility throughout the entire payment cycle, and, ultimately, giving you peace of mind. Learn more about our payment processing services.

Securing Payments: Guarding Against Business Email Compromise