business email compromise scamsBusinesses small and large are targeted constantly by scammers and hackers, but small businesses are the most vulnerable due to limited resources to devote to IT and other preventative measures. One of the biggest scams targeting businesses in recent years is known as Business Email Compromise (BEC) scams, and recently the FBI published a public service announcement stating that the total lost by businesses around the world to these scams in the past two years has reached a staggering $1.2 billion. Even more shocking, this PSA was a follow up to one published in January 2015, and since that time the number of victims and loss identified has increased by 270%. BEC scams have been reported in all 50 states as well as 79 countries internationally, and judging by the numbers, they are on the rise. How can your small business protect itself from becoming a part of this trend?

How do business email compromise scams work?

Typically, these scams target businesses that work with foreign supplies and/or regularly perform wire transfer payments. The scammer will compromise a legitimate business email account and use it to conduct unauthorized transfer of funds. Although BEC scams typically involve wire transfers, if a company uses checks for payments, scammers will follow suit to make the fraudulent transaction seem as legitimate as possible. Scammers compromise email accounts within the business either through phishing emails that trick the owner of the account into clicking on a malicious link. Sometimes, the scam is conducted through the use of an email which has a domain that very closely matches the business’ — for example, if your business uses “,” the fraudster will use “”

Another version of this scam sees the fraudster getting more aggressive by posing as a lawyer or other legal representative and contacting the business regarding an important matter. This scam can be done over email or the phone, and it generally pressures its victims to act quickly or secretly and wire money immediately. No matter how the scam is perpetrated, they seem to be working, considering the amount lost and number of businesses that have fallen victim is steadily on the rise.

FBI business email compromise statistics

Statistics from the FBI's PSA about business email compromise scams

BEC scams are particularly insidious because they target specific people within a company in an attempt to fool them into sending payments to what they think is a legitimate business partner or supplier. They often use a compromised email account to spy on the target in order to learn the language habits and business procedures to better pull the wool over their eyes. For example, this post on the Krebs on Security blog describes a woman who nearly lost her company $315,000 after receiving an email from her boss asking her to wire the money to China to pay for raw materials. The email was actually from a scammer pretending to be her boss, but due to the fact that he was traveling abroad at the time, she was almost convinced. BEC scams have fooled people at businesses both large and small, new and well established. It’s important for companies to take action to help prevent these scams from happening to them.

How can I protect my business from these scams?

1. Consider registering all domains that are similar to the one your business uses. Many spammers are able to dupe their targets successfully because they use an email address with a domain that is almost identical to the one a company uses. People aren’t always as perceptive as they should be, especially when dealing with what might seem like a routine wire transfer request. Registering domains that are slightly different from your own puts you one step ahead of the scammers.

2. Make sure your employees have a process in place regarding the transfer of funds. The FBI suggests setting up a two-step authentication process — such as having more than one person or department look over and sign off on a request. Additionally, instruct employees to verify using phone numbers and email addresses they know rather than those written in emails. All emails should be thoroughly scrutinized, and employees should be encouraged to speak up if something looks “off” to them — such as a change in tone, misspellings or a difference in routine.

3. Resist broadcasting your every move on social media. Since business email compromise scams are targeted and tailored to their victims, it’s important for businesses to take the same precautions urged of everyday people in preventing identity theft. Social media can be a great tool for businesses to use when it comes to self promotion and marketing, but not everyone watching is friendly. Broadcasting when the CEO is traveling and what they are doing gives scammers ammunition to use when attempting these scams.

4. Strengthen your Internet security. If you aren’t using an Internet security software for your business, now is the time to get one. And if you are using one, consider looking into improvements that could be made to protect your network and prevent emails from being hacked in the first place. In addition to using security software on computers, employees should also be instructed to take care when clicking on links and also report any unusual activity on their email account from people within or outside the business to a supervisor or IT member.

What should I do if I am the target of a scam?

If your business is targeted by a business email compromise scam, you should contact your bank immediately upon the realization of a fraudulent transfer. The sooner fraud is caught the better, and it’s possible the bank might be able to stop a transfer or reverse it if notified quickly enough. Next, contact your local FBI office and report the fraudulent transfer. It’s possible they might be able to help return or freeze the funds if your bank can’t. Finally, file a report regarding any money lost with the FBI’s Internet Crime Complaint Center.

You can learn more about protecting yourself and your business from scams by visiting our identity theft protection blog.