Skip to main content
FMB Logo Header Desktop
FDIC-Insured - Backed by the full faith and credit of the U.S. Government
Scroll To Top

Blog Detail
Asian business man looking at this computer with a concerned look on his face.

If you’ve been in the business world for any length of time, you probably know about the dangers of Business E-mail Compromise (BEC). But have you sharpened your fraud-spotting skills lately? Can you list the top red flags that will give scammers away?

If you need to brush up on your cybersecurity skills, review warning signs, or want to learn how to identify a phishing attempt – this blog is for you.


What is BEC?

First, as a refresher, Business E-mail Compromise is a type of phishing scam where cybercriminals impersonate a fellow employee, your company’s CEO, or key personnel to try and gain access to or manipulate payments, wire transfers, or other financial transactions in order to divert that money to their own pockets.



7 BEC Red Flags

So, if you receive an e-mail requesting a transaction or change to one of your company’s financial accounts, keep an eye out for these 7 red flags:

  1. Unusual Sender Address. The e-mail address is slightly off from your company’s internal e-mail conventions, comes from an e-mail address you don’t recognize, or comes from one that seems odd.
  2. Sense of Urgency Around Unexpected Requests. The e-mail is marked as urgent, or otherwise pressures you to take immediate action, and the request is unexpected.
  3. Changes in Communication Style. The language in the e-mail doesn’t match the normal grammar, cadence, or “voice” of the person it appears to be from. If the e-mail is from a vendor, you may also receive inconsistent information about who is reaching out.
  4. Misspellings or Poor Grammar. Phishing e-mails will often have multiple, obvious misspellings and poor grammar.
  5. Suspicious Links and Attachments. The e-mail will have a link to an usual website, or an unexpected and suspicious attachment. Remember to mouse over links to see where they lead.
  6. Altered Invoices. The e-mail says that an invoice needs to be altered in some way.
  7. Unexpected New Vendor Requests. You receive an unexpected payment request from an existing vendor, or from a brand-new vendor you are not familiar with.

Ten Tips to Prevent Business E-mail Compromise. Business E-mail Compromise is one of the most common forms of fraud – which is why it’s important to set up processes around your company’s e-mail expectations and payment procedures. Not sure where to start? Here are a few suggestions:

  1. Offer Employee Training. Training on how to spot and avoid BEC and other cyberattacks should be offered to new employees and to tenured employees on an ongoing basis.
  2. Don’t Click. In general, make a pact with yourself – and set the expectation for your employees – to not click on links or attachments in e-mails without first vetting the sender, link or request.
  3. Multi-Factor Authentication. Consider adding multi-factor authentication to your business’s e-mail service, financial accounts, and other weak points.
  4. Always Call. Set up a cadence within your company to always call vendors, executives, and employees to verbally verify new vendors, new financial requests, or invoice adjustments.
  5. Restrict Finance Access. Access to company cards and accounts should be on a need-only basis. This will help you limit potential openings for scammers to sneak into your system.
  6. Monitor Account Activity. Monitor your accounts using online or mobile banking, setting up account controls, and carefully examining account statements.
  7. Keep Software Up-To-Date. Keep your company software up-to-date. Software updates often contain security upgrades or patch weaknesses from previous versions. Keeping your software current will help limit weak points scammers can exploit.
  8. Use Secure Payment Channels. When paying vendors, make sure you use only secure, pre-approved payment methods. Do not use peer-to-peer payment services, gift cards, or other hard-to-track options.
  9. Use Payment Confirmation. Make sure your business has payment confirmation protocols – such as calling to confirm payments or using a service like Positive Pay.
  10. Use Unique Passwords. Your work and financial accounts should all have unique usernames and passwords. Never reuse any login information from personal accounts or services for your company login or business accounts.

What to Do If BEC Occurs

If Business E-mail Compromise does occur, it’s imperative that you act quickly to prevent further loss, reputational damage, or data compromise. As soon as you’re aware of the breach, take these steps:

  1. Contact Your Bank. Contact any financial institution that your company works with and let them know what has happened. They can guide you through appropriate account security measures and can offer insight on whether it is possible to recoup your loss.
  2. Contact Local Law Enforcement. Report the incident to your local law enforcement, and work with them as they take reports and investigate.
  3. Inspect Your Accounts. Check all your accounts for recent access, new transactions, or any suspicious activity. You’ll want to continue to do this moving forward, as some cybercriminals don’t act immediately.
  4. Secure Your Systems and Passwords. Wait for your IT department to clear their systems, and then change your usernames and passwords – especially all usernames and passwords associated with your financial accounts.

Hopefully, with these warning signs and best practices, you’ll be able to prevent BEC and protect your business and your employees. If you need additional guidance on how to avoid BEC, connect with your local, attentive commercial banking representative. You can also keep an eye on the latest fraud news and trends in our Security Center.


Contact Treasury Management


close