We have been seeing an increase in criminal cyber-fraud schemes affecting both large and small businesses, individuals and banks. With the increase in remote work, online payments and email usage, a common fraud we are seeing more of is criminals are using a Business Email Compromise (BEC) hack as a way of posing as the company sending the invoice to the recipient, then upon payment, the payors account gets drained with little to no trace of the criminal tied to the fraud.

So how does it work and what is a BEC?

Business email compromise (BEC) or “phishing” is a technique used to gain access to your company email so criminals can impersonate a co-worker, manager or other trusted business partner to steal sensitive data and money. With access to your business email accounts, criminals can steal money through fraudulent wire transfer requests, fake invoices, diverting payroll and more. Protecting your email is essential. BEC emails usually contain no malware and are therefore difficult to detect with common email filtering means.

How does a typical BEC scam work?

A common technique is email spoofing. Email spoofing occurs when the email appears to be sent by a legitimate sender but is actually sent by a criminal. For example, your accounts payable department receives an email from the CEO (who is traveling abroad) asking for $100,000 to be immediately wired to a new bank account of a trusted business partner. The employee complies. You later discover the new bank account belongs to a criminal who spoofed the CEO’s email account to divert the money. You immediately call the bank but the money has already been transferred.

Steps you can take to protect yourself and your company:

  1. Enable two-factor authentication on important accounts. These include email, bank accounts, company logins, etc.
  2. Training on how to spot phishing attempts. There is a ton of great, free training available online. Click testing is another way to gauge your employees ability at spotting scams. A test “fraudulent, spoofing” email is sent to all the employees, where you can track who clicks on it and to what extent they follow through with the phishing scam.
  3. Spam filters and anti-virus protection measures. These should be in place and tested frequently. That being said, they don’t catch everything, which is why steps 1 &2 are equally important.

Awareness is one of the best preventive measures you can take. If you ever have a question about an invoice or an email you can receive from us, please reach out to our office at 707-546-0272 and ask. Replying to the email often leads to the criminal replying back (if the email account has been hacked) and many times, they include a false phone number in the fake invoice, so when in doubt, look up the sender and call their number listed on the website. If you have questions, please let us know.