How to avoid business email compromise (BEC) scams

Criminal organizations that perpetrate business email compromise (BEC) schemes don't just target companies.

They also exploit individual victims—such as real estate purchasers or the elderly—by convincing them to make wire transfers to bank accounts controlled by the criminals. The scam can also involve requests to purchase gift cards and send the serial numbers or to mail a check, but the request will always appear to come from someone known to or trusted by the victim.

An FBI case that was part of last year’s operation illustrates how the BEC scheme works: Beginning in 2015, two men working remotely from the United Kingdom and Nigeria sent emails to an executive at a Connecticut-based company appearing to be from the company’s CEO, who was also located overseas. The purported CEO was requesting a wire transfer of funds. The email looked legitimate, so the company’s controller sent multiple wire transfers totalling more than $500,000. But as it turns out, the CEO’s email account had been spoofed—and the money went straight into accounts managed by the criminals.

“If you saw the email, it would look very legitimate,” said Special Agent Jennifer Boyer, who worked the case out of the FBI’s New Haven Field Office. She encouraged anyone who is in a position to wire money to pause and question all requests before hitting send.

“Take a moment to consider that maybe it’s not your boss and pick up the phone and verify,” said Boyer. “It’s that second-factor authentication that people really need to implement, and so many people don’t.”

In addition to verifying all financial requests received by email, the IC3 recommends businesses and individuals:

• Use two-factor authentication to verify any change to account information or wire instructions.
• Check the full email address on any message and be alert to hyperlinks that may contain misspellings of the actual domain name.
• Don’t supply login credentials or personal information in response to a text or email.
• Regularly monitor financial accounts.
• Keep all software and systems up to date.

The effects of this crime are far-reaching, and the dollar amounts involved are staggering. Since the Internet Crime Complaint Center (IC3) began formally tracking BEC (and its variant, email account compromise, or EAC) in 2013, it has gathered reports of more than $10 billion in losses from U.S. victims alone. The worldwide tally is more than $26 billion.

Victims of business email compromise schemes are encouraged to contact law enforcement immediately and file a complaint online with the IC3 at bec.ic3.gov. The IC3 staff reviews complaints, looks for patterns or other indicators of significant criminal activity, and refers investigative packages of complaints to the appropriate law enforcement authorities.