Preventing Business Email Compromise

Posted on July 02, 2024

Business email compromise (BEC) is one of the most prevalent and financially damaging cybercrimes. The majority of these crimes are financially motivated, but BEC can also be used to steal trade secrets or install ransomware, which opens businesses up to reputational damage, or even the potential for blackmail or extortion.

What is it?

Business email compromise is a cyber attack, through email, that targets organizations to steal their money or critical information. In 2023, the FBI reported that businesses lost about 3 billion dollars to these types of scams.

Many times, companies don’t realize they’ve fallen victim to BEC until it’s too late. Scammers have only gotten more sophisticated, and their emails are getting harder to distinguish from the real thing. Because of that, the ideal target for BEC is a small, busy company (title companies, attorney’s offices, contractors, etc.)—someone moving so quickly that they may miss the one detail that isn’t quite right.

How can I prevent it?

Your best chance at preventing fraudulent payments is before they’re ever sent. At United, we offer strong internal controls around ACH and wire origination to protect you and mitigate as much loss as possible. Features like dual control are critical because if one of your company’s devices is hacked, the other employee involved in the process can prevent a transaction from going through.

A few other practical ways to protect yourself:

Keep your security software updated, beyond just your standard pop-up blocker.
Eliminate or lessen the use of hyperlinks in your internal emails (so links from a scammer will stand out).
Slow down: If you’re sending financial information or payments, take the time to double-check.

At the end of the day, we can’t ignore the fact that fraud will happen. It’s just a matter of when—so it’s also a good idea to talk to your insurance provider about a policy to cover you if you lose funds because of a scam.

I think I’ve been scammed. What should I do now?

If you’ve fallen victim to a BEC scam, time is of the essence—but don’t panic. To “contain the infection,” disconnect from your network and don’t send any emails. Instead, pick up the phone to contact your IT department, your financial institution, and law enforcement.

Then, we’d recommend taking the following actions:

Lock down your bank accounts (depending on the extent of the scam, you may need to close them and reopen new ones)
Notify any impacted stakeholders
Maintain any emails involved in the scam for the police report
Consider card controls or alerts
Freeze your credit with all three bureaus

In addition to filing a police report, FBI agents are always on call to help. A quick way to get the FBI involved is ic3.gov. It’s an online way to provide information about the scam so that the FBI can open a new case or add to an existing one. The program will then start the chain of events to stop the fraudulent funds from being transferred.

Want to learn more about business email compromise? Our security and treasury teams hosted a BEC webinar to discuss real-life examples and the steps we’re taking to protect our customers. To watch the full conversation, click here.