Business Email Compromise

Business email compromise, one of the top fraud threats facing businesses of all sizes, is a type of scam that involves fooling employees into authorizing payments and transferring funds to imposters.

Scammers email someone in your organization with what appears to be a legitimate request from a known colleague, vendor or business associate.

Often, the scammer will target employees responsible for transferring funds, such as executives, finance department employees and HR managers. They may also contact new or entry-level employees who may not know to question payment requests or to verify an email's legitimacy.

• Someone posing as a company executive requests an urgent wire transfer and insists that it be sent in secret.
• Someone posing as a vendor asks your company to send future payments to a different account.
• Someone posing as a division manager needs an assistant to buy dozens of gift cards for employee recognition and send the cards' serial numbers to the division manager immediately.

Criminals conducting business email compromise attacks often employ tactics like:

• Using fake sender domains: Scammers set up email addresses that closely resemble a genuine business email address, such as Suzy.Smith@enterpriseco.com instead of Suzy.Smith@enterprise.com. Recipients who aren't paying close attention won't notice that one letter or some punctuation is off.
• Urgent email subject lines: Scammers often depend on creating a sense of urgency to get victims to act quickly and before they've thought through the request.
• Non-obvious trickery: Unlike traditional phishing or spam emails, business email compromise communications usually don't contain clickable links or attachments. That makes it tough for traditional security solutions to detect these scams.

• Conduct regular employee trainings. Train staff how to identify and respond to this always-evolving form of phishing.
• Establish security practices and policies for employees, such as requiring strong passwords and multi-factor authentication (MFA) to access sensitive information on the company's network.
• Keep systems and software updated and install a strong, reputable antivirus program.
• Have employees verify payment and purchase requests in person, if possible, or by the number on file to make sure it's legitimate.
• Separate payment processing duties. The same employee should not be able to initiate and approve a funds transfer.
• Encourage employees to be cautious about sharing information about their jobs on social media sites. Attackers can use the information to learn about your company, employees' roles and the technology you use.
• Report scams. Contact your financial institution immediately and request that they contact the financial institution where the funds were sent. Also, file a complaint with the FBI's Internet Crime Complaint Center.