Email compromise scams put businesses at risk

Email compromise scams put businesses at risk

Business-email compromise fraud is an email phishing scam that typically targets people who pay bills in businesses, government and nonprofit organizations. It affects both big and small organizations.


An in-depth investigative study by Better Business Bureau finds business-email compromise scams are skyrocketing in frequency and have cost businesses and other organizations more than $3 billion since 2016.

Business-email compromise fraud is an email phishing scam that typically targets people who pay bills in businesses, government and nonprofit organizations. It affects both big and small organizations, and it has resulted in more losses than any other type of fraud in the U.S., according to the Federal Bureau of Investigations.

The investigative study — “Is That Email Really From ‘The Boss?’ The Explosion of Business Email Compromise Scams” — looks at the prevalence of BEC scams and the criminal systems that perpetrate them. It digs into the scope of the problem, who is behind it, the multi-pronged fight to stop it and the steps consumers can take to avoid it.

BEC fraud takes many forms, but in essence the scammer poses as a reliable source who sends an email from a spoofed or hacked account to an accountant or chief financial officer, asking them to wire money, buy gift cards or send personal information, often for a plausible reason. If money is sent, it goes into an account controlled by the con artist.

This serious and growing fraud has tripled over the last three years, jumping 50 percent in the first three months of 2018 compared to the same period in 2017. In 2018, 80 percent of businesses received at least one of these emails. From 2016 through May 2019, the Internet Crime Complaint Center received 58,571 complaints on BEC fraud with reported losses in the U.S. totaling $3.1 billion.

An Edwardsville, Illinois real-estate agent told BBB that on the closing date for a house she helped sell, the buyer received an email appearing to come from the agent, requesting the buyer wire funds to a specified account, contrary to the agent’s instructions that the buyer bring a certified check to the closing.

While the agent did not send the email nor was it from her true email address, the amount requested was the actual closing price of the house, and an attached PDF showed the letterhead of the real company handling the transaction. The account to which the money was to be wired was fake.

The buyer did not comply and brought a certified check to the closing. Because the agent reported the incident to her manager and the title company, her company now warns clients to call the title company or real-estate agent if they receive instructions to wire real-estate closing money.

The report recommends:

—BBB urges businesses and other organizations to take technical precautions such as multi-factor authentication for email logins and other changes in email settings, along with verifying changes in information about customers, employees or vendors. The report also urges culture and training changes in organizations, namely confirming requests by phone before acting and training all employees in internet security.

—There is a strong need for more international cooperation between law-enforcement agencies.

—Email system providers should consider enabling additional features to help prevent BEC fraud including default settings with more security.

—Law enforcement should recognize BEC fraud gangs engage in many varieties of the fraud at the same time and focus on the key actors in the frauds, not just supporting actors such as money mules.

What to do if your organization has lost money to a BEC fraud:

—If an organization finds it has been a victim of a BEC fraud, it needs to immediately call its bank to stop the payment and report it to the FBI. If a report is filed within 48 hours, there is a chance the money can be recovered.

—Complain to the FBI’s Internet Crime Complaint Center. IC3 also asks people to report unsuccessful BEC attempts as well. Information from attempts may help establish patterns or identify mule bank accounts.

—Report fraud to BBB Scam Tracker.

Loading next article...

End of content

No more pages to load