Skip to Main Content

Login Options

Additional Logins

How to Avoid Business Email Compromise Scams

As cybersecurity software becomes more sophisticated, many cybercriminals are directing their attacks at the most vulnerable targets: human beings. Scammers are using emails and phone calls to trick employees into facilitating a crime that damages their company in the form of wasted time and lost money.

What this means for small and medium-sized businesses is that an effective cybersecurity strategy must include educating staff in identifying and avoiding common scams. One of the most familiar—and costly—scams is the business email compromise attack.

What is a business email compromise attack

A business email compromise (BEC) scam uses a fraudulent email posing as a legitimate email from a trusted entity, such as a corporation or government. The email typically includes a request to direct money or information to the fraudster. Some examples include:

  • An invoice with updated payment information from a long-time vendor. 
  • A request from a company employee to change the account and routing numbers for direct deposit.
  • An email from a company executive requesting every employee's W-2 Form.

According to IBM, the average cost of a data breach in the U.S. is $3.86 million. While small businesses may not stand to lose such high sums, data breaches tend to cost them more money relative to their size. And BEC is one of the most common causes of data breaches, accounting for nearly half of the cybercrime losses in 2019. Fortunately, there are steps your business can take to avoid falling prey to BEC scams.

How to recognize business email compromise scams

BEC scams are designed to look legitimate, but there are certain red flags that can tip you off to a potential scam:

  • Spelling and other errors. Many BEC attacks include glaring errors. Unprofessional typos and other oddities, such as a “co-worker” referring to you by your full name instead of your first name or common nickname, should give you pause.
  • Phony email addresses. Often the email address that sent the message will differ from the address it's imitating. Look for a dropped letter or misplaced underscore. And be aware that even if an email comes from a valid address, there is no guarantee that the message is legitimate. The cybercriminal may have obtained email login information in a previous attack.
  • Uncharacteristic requests. Ask yourself whether the request is out of character. Would your CEO ask you for this sensitive information over email? Is this how this kind of request is typically handled?

What to do in the event of a business email compromise attack

If you think the email you’ve opened may be a BEC attack, the best way to verify is to contact the person or entity the email purports to be from. Do not reply to the email itself. Instead, open a new email or, better yet, call to confirm that the message is legitimate.

If it turns out the email is fraudulent, report it to the appropriate authority. Notify the Internet Crime Complaint Center (IC3) of all non-tax-related BEC scams. Tax-related scams should be forwarded to phishing at irs dot gov. If you’ve fallen for the W-2 scam, and your employees’ tax data has been compromised, contact dataloss at irs dot gov.

Prevent BEC scams with education

Formalize your efforts with a cybersecurity policy that educates staff on red flags and lays out the protocols for handling certain kinds of requests. For example, consider instructing your employees to confirm all requests for financial information or other sensitive data by a channel other than email, whether the request is particularly suspicious or not. You could also mandate that executives will always make certain kinds of requests over phone.

Because BEC attacks are made more dangerous when they come from legitimate email addresses, a key part of fighting them is practicing good password management. Strong passwords make it less likely that fraudsters can hack into your and your employees' email accounts. Remind employees not to use the same login information for multiple accounts, not to base security questions on publicly available information and to think twice before responding to “alerts” from emails or websites that ask them to input a username and password. With vigilance, your team can thwart many BEC attacks before they occur.