8 Practical Tips to Avoid Being the Victim of a Business Email Compromise Scam

The FBI defines Business Email Compromise (BEC) as “a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The scam is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

Some Background

BEC scams are a real threat and criminals are increasingly targeting small and medium-sized businesses, in addition to historical targets such as large companies and financial institutions. Victim companies have been reported in all 50 states and 79 other countries. According to reports tracked by the FBI, there has been a 270% increase in BEC victims when comparing the period from October 2013 to December 2014 to the period from October 2013 to August 2015.


In only an additional nine months, the number of victims increased by almost 6,000 reported cases!

So how can you protect yourself from being a victim of a BEC scam? Here are 8 practical tips:

  1. Implement a two-step verification for any wire transfer. Never rely solely on an email request, despite the circumstances. You can either:
    a. Pick up the phone or walk down the hall to confirm a wire request verbally.
    b. Setup a one-time password or verification phrase if an executive is traveling and may have limited access to his/her phone.
  2. Use previously-stored or known account numbers and not the number in an email request.
  3. Ensure all employees receive security awareness training and be sure you reward positive employee behaviors:
    a. Encourage employees to be suspicious and alert.
    b. Ensure employees are aware of sudden changes in business practices or customer/vendor payment changes (e.g. frequency, reason, bank, etc.).
    c. Be suspicious of any requests for urgency or secrecy.
  4. Forward emails instead of just clicking “reply” to ensure you are sending messages to appropriate email addresses and not replying to a spoofed message (in which the sender’s email address ends in .co or is a legitimate address that’s been altered by adding/removing a letter).
  5. Do not open suspicious emails/attachments or download unknown files as they may contain malware.
  6. Register any company domains that may be slightly different than your actual company domain (e.g. .co vs. .com, abcompany.com vs. abccomapny.com, etc.).
  7. Be cautious of posting personal information to social media or company websites, including notifications of travel for executives ahead of time.
  8. Ensure your IT department follows best practices in regards to patching, anti-virus, intrusion detection, firewalls, etc.
    a. See if your IT department can set up filters to automatically flag or reject emails from similar, yet fraudulent, domains.

If you are a BEC victim, make sure to contact your financial institution ASAP. Response time is crucial in your or the financial institution’s ability to recover any funds.

If you’d like to know more about how these criminals are so successful or how you can implement safeguards against BEC scams, Holtzman Partners is happy to help. Please contact us directly at 512.610.7200 or submit your inquiry online.

Was this helpful? Share to your network.