What is Business Email Compromise?

Business Email Compromise (BEC) is a sophisticated scam that threatens both businesses and individuals. BEC is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info.

The scam often depends on an individual compromising legitimate business or personal email accounts through social engineering or computer intrusion. Once criminals have access to company (or personal) email accounts, they pose as a trusted figure (such as a CEO, CFO, or other person in a position of power within the company), then ask for a fake bill to be paid or for sensitive data such as personally identifying information or bank account information they can use in another scam. They may send an email message that appears to come from a known source making a legitimate request, like in these examples:

• A vendor your company regularly deals with sends an invoice with an updated mailing address or updated payment instructions.
• A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them immediately.
• A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Versions of these scenarios happened to real victims. All the messages were fake. And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.

The scam is not always associated with a transfer-of-funds request. One variation involves compromising legitimate business email accounts and requesting employees’ Personally Identifiable

Information, Wage and Tax Statement (W-2) forms or other personal data.

BEC scams continue to grow and evolve, targeting small local businesses to larger corporations and personal transactions. BEC scams have been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers.

How to protect yourself and your company.

You can help reduce the risk of BEC fraud by following some best practices and training your employees. Following these steps will help protect you against BEC fraud:

Cyber Safety Industry Best Practices for Personnel

Verbally Verify

• Treat every email request you receive with payment instructions as potentially fraudulent until verified.
• Call the customer or individual who initiated the request via phone using a number from within your company’s database. Do not call the phone number in the email.
• Confirm every aspect of every transaction, including ABA and account number, even if the request seems authentic.

Don’t Recognize the Sender?

• Avoid clicking on links or opening attachments.
• Don’t reply to the email – it could be a fraudster.
• Report the email to IT or Information Security.

Staying vigilant is the best way to help protect the bank and you, our business customers, from potential fraud. If you believe your business is the recipient of a compromised email or a victim of a BEC scam:

• Notify your bank immediately to request a recall or reversal or as a Hold Harmless Letter or Letter of Indemnity. Cadence cannot guarantee the return of all or any portion of the funds and this process may take up to ninety days or longer to resolve.
• File a comprehensive complaint with the Internet Crime Complaint Center (IC3) at www.IC3.gov. Be descriptive, complete all required data fields, and identify your complaint as “Business Email Compromise” or “BEC.”
• Visit www.IC3.gov for updated PSAs about BEC trends and other fraud schemes.

To learn more tips about BEC, read our tip sheet.

Sources:
https://cadencebank.com/insights-and-articles/business/protecting-your-business-from-cyber-fraud
https://www.ic3.gov/Media/Y2022/PSA220504
https://www.fbi.gov/how-we-can-help-you/safety-resources/scams-and-safety/common-scams-and-crimes/business-email-compromise
https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec

This article is provided as a free service to you and is for general informational purposes only. Cadence Bank makes no representations or warranties as to the accuracy, completeness or timeliness of the content in the article. The article is not intended to provide legal, accounting or tax advice and should not be relied upon for such purposes.