You know something about the e-mail you received doesn’t seem quite right – but you can’t put your finger on it. Maybe it’s signed by your HR manager but came from outside your organization. Maybe it’s requesting you sign into your employee portal using the link below to correct something urgently. Maybe one of your vendors asked you to send payments to a new account. Maybe your CEO asked you to change their direct deposit information.
If you’ve ever received an e-mail like this, you’ve had a brush with Business E-mail Compromise (BEC). But what is Business E-mail Compromise, and why is it so important to avoid?
“Business E-mail Compromise (BEC) is when someone tries to access a business’s, organization’s, or individual’s account information, personal information, or data via e-mailed interactions,” explained Michelle D. Martin, Senior Treasury Management Officer with First Merchants Bank. “Unfortunately, all businesses are susceptible to this – really, anyone with an e-mail address is.”
According to the Association of Financial Professionals, BEC comprised 55 percent of all fraud cases in 2021.
With BEC, a scammer will impersonate someone you know – a manager, an HR employee, or even the head of your company – to try and gain access to funds or data. To do this, they’ll often need access to a legitimate company e-mail, which they can get through “phishing” – or the act of trying to trick individuals into providing company login information.
“They can also get that information through weak passwords, poor password protection, insufficient password requirements, and even poor employee training,” Michelle shared. “They’ll just exploit any and every vulnerability they can find.”
Often, those initial targets are carefully chosen, Michelle added: new employees, entry-level employees, or HR and Payroll personnel.
Once they have someone’s login-in information, they can hack into a business’s e-mail.
“A lot of times when they gain access to that initial e-mail address, they’ll just monitor the victim’s correspondence for a bit – without the victim being aware they’ve been compromised,” Michelle shared. “They want to identify who they should target to gain access to bank accounts or personal data.”
Once they have identified a target, scammers will then use the legitimate e-mail to reach out and request money be sent to a different account, or for copies of personnel data.
“As a bank, we’ve received e-mails from business clients ‘requesting’ to add signers to business checking accounts, or to change direct deposit information,” Michelle said.
However, the most common goal scammers pursue is information on wire transfers – which compromise 42 percent of all BEC incidents, closely followed by ACH credits at 37 percent of all BEC incidents. On average, Michelle said, BEC results in at least a $25,000 loss. But losses can also be more than monetary.
“I had a client once who had a scammer – using a legitimate e-mail from their business – request the W2 information for every company employee. So they received everyone’s social security number, their addresses, etc.,” Michelle explained. “So then you’re getting into identity theft and compromising individual people’s safety and their future security. This can get very big very quickly and snowball.”
So how can you avoid Business E-mail Compromise?
“Unfortunately, it’s not something you can fully avoid,” Michelle said. “Often it’s not a matter of if it will happen, but when it will happen. So the main way to prevent loss is to be prepared and to keep yourself educated.”
It can also help to have procedures put in place when certain requests – like a direct deposit request, loan request, or account change – come through.
“I tell all my clients to verbally verify any request like that,” Michelle shared. “Walk over to your co-worker’s office if they’re in the same building or pick up the phone. If you’re calling, use the information that is in your contacts list, not what is listed in the e-mail you received. Ask. Get them to verbally verify that change – it’s a simple step that can save you a lot of heartache.”
Businesses can also increase employee training and awareness around phishing and BEC, especially around scammers’ favorite buzzwords, which include:
- Transaction Requests
- Important
- Urgent
- Request
- Payment
- Outstanding Payment
- Info
- Important Update
- Attention
- Notification of Updates
“You just have to be alert,” Michelle cautioned.
Learn more about security measures you can take to protect your business at our Security Center.