fdic digital sign
Account Login

Guarding Against Business Email Compromise

alert email inbox spam virus with warning caution notification internet letter security protect junk trash mail compromised information

Business email compromise (BEC) is one of the most financially damaging online crimes. It exploits the fact that most of us rely on email to conduct both our personal and professional business.

In a BEC scam—also known as email account compromise (EAC)—criminals send an email message that appears to come from a known source making a legitimate request, like in these examples:

  • A vendor your company regularly deals with sends an invoice with an updated mailing address.
  • A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
  • A homebuyer receives a message from his title company with instructions on how to wire his down payment.

Versions of these scenarios happened to real victims … but all the messages were fake.

And in each case, thousands—or even hundreds of thousands—of dollars were sent to criminals instead.

Don’t forget about the rise in sophisticated AI Attacks…

Fraudsters are using Generative AI (GenAI) to eliminate traditional “red flags” like poor grammar or obvious phishing links.

  • Deepfakes & Voice Cloning: Deepfake incidents in fintech rose by 700% Criminals now only need 3 to 15 seconds of a victim’s voice to create a clone capable of authorizing wire transfers over the phone.
    • Be wary of answering calls from unknown numbers.
  • Synthetic Identity Fraud: This is the fastest-growing financial crime, with projected U.S. losses reaching $23 billion annually by 2030. AI creates “Frankenstein” identities by blending real and fabricated data to bypass standard onboarding checks.
    • Be sure when working with new clientele that you follow your identification protocols, helping to identify any “Frankenstein” or false identities.
  • Autonomous Phishing: Attackers use “Agentic AI” to conduct automated, hyper-personalized social engineering at scale, mimicking business executive writing styles to target specific employees in Business Email Compromise (BEC) scams.
    • Watch for emails from business executives asking for payment changes, purchases of gift cards or other out of norm requests.

Establish robust verification procedures

  1. Establish “Out-of-Band” Verification: Never rely on email alone to authorize a payment or change banking details. Always confirm the request via a phone call to a known, trusted number (not the one provided in the suspicious email) or through a video meeting.
  1. Implement Dual Approval: Require at least two employees to review and sign off on any high-value transaction or change to beneficiary information. Be sure the employees understand your “Out of Band” Verification policy and hold them accountable to verify with each other before releasing funds.
  1. Use “Forward” Instead of “Reply”:When responding to a request for sensitive information, click “Forward” and manually type in the recipient’s address from your address book. This ensures you aren’t replying to a “spoofed” or lookalike email address.

Enforce Technical Safeguards

  1. Enforce Multi-Factor Authentication (MFA):This is a non-negotiable baseline. MFA can prevent attackers from accessing an account even if they have stolen the credentials.
  1. Configure Email Authentication (DMARC/SPF/DKIM): These protocols work together to verify that an email is actually from your domain, making it much harder for scammers to spoof your company’s identity.
  1. Flag External Emails:Set up your email gateway to automatically add a visible tag (e.g., “[EXTERNAL]”) to any message originating from outside your organization to alert employees to be extra cautious.

Employee Education

Employee Education is critical to fighting cybercrime!

  1. Conduct Regular Phishing Simulations:Use tools to send fake phishing emails to staff. If an employee “takes the bait,” use it as a real-time teaching moment.
  2. Teach the “Red Flags”:Train your team to spot common BEC indicators:
    1. Extreme Urgency:Pressure to act quickly to avoid a “crisis” or “account closure”.
    2. Unusual Requests:A high-level executive asking for something they typically wouldn’t, like gift cards or employee W-2s.
    3. Subtle Address Changes:Lookalike domains where one letter is different (e.g., micros0ft.com instead of com).
  3. Educate employees on the role AI plays with fraud and establish procedures that prevent them from relying on the sound of a person’s voice over the phone or the number showing on caller ID to identify them.

Financial Controls

  • Limit Public Information: Criminals often use social media (like LinkedIn) to identify who handles your company’s finances or who the top executives are. Encourage employees to be mindful of what they share publicly.
  • Use Fraud Prevention Tools: Services like Positive Pay and ACH Filter can monitor transactions and flag unauthorized activity before funds leave your account.

Like this article? Feel free to share!