Cybercrime is more rampant than ever, and at Mabrey Bank, we see firsthand the financial damage that can be done to both customers and businesses by digital scams. One of the trending and most damaging online methods of cybercrime is Business Email Compromise (BEC). This exploits the fact that most organizations rely completely on emails to conduct personal and professional business, and in 2023 alone, the FBI’s 2023 Internet Crime Complaint Center Report showed $2.9 billion in losses to due BEC.
In a BEC scam, criminals send an email that appears to come from a known source making a
legitimate request. For example, a known vendor will appear to send an invoice with an updated payment address or payment account information. The below action plan can help your business prevent and/or respond to BEC and comes courtesy of our partners at Nacha and its Payments Innovation Alliance.
If your company is a victim of BEC…
- Act Fast to Recover your Money
- If you, a customer or a trading partner sent money to a fraudulent account, immediately contact your (or their) financial institution and request that they contact the financial institution where the transfer was sent. They can then ask the other bank or credit union to reverse the transaction and freeze the fraudulent account.
- Contact Law Enforcement
- Contact your local FBI field office and file a complaint with the FBI’s Internet Crime Complaint Center (IC3).
- Contact local law enforcement and file a police report. When doing so, request that law enforcement work with the IC3’s Recovery Asset Team to help recover your stolen money.
- Notify all applicable regulators and/or licensing authorities as required.
- Keep Fraudsters Out
- Scan and scrub all communications systems for viruses, malware and security gaps. Keep record of any viruses or malware that were removed.
- Require all employees to change passwords immediately and use strong passwords.
- Document and Recover
- Preserve all communications and records related to any BEC scam, including email communications and IP address records used by the fraudster to access company systems. Law enforcement will need this information during their investigation.
- Review insurance coverage to determine whether coverage is available in the event of financial loss.
How to Prevent BEC Scams…
- Increase Security
- Implement and enforce two-factor (or multi-factor) authentication strategies on any account that allows it.
- Implement a two-step process with customers, vendors or business partners to ensure any changes to account information or other payment instructions are confirmed outside of the communication method or channel requesting the change to payment instructions.
- Review Procedures
- Establish multi-layer review procedures for approving transactions above certain thresholds. These procedures should include dual controls for approval of certain transactions and delegations of authority when one or both of the dual-control approvers are unavailable.
- Take advantage of SMS activity alerts that can be established with your financial institution and review daily all bank and payment card statements for unusual activity.
- Raise Awareness
- Use caution when sharing information online or on social media. By openly sharing things like pet names, schools you attended, links to family members and your birthday, you can give a scammer the information they need to guess your password or answer your security questions.
- Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number either from an internal directory or a public directory on your own (don’t use the one a potential scammer provides).
- Carefully examine the email address, URL, and spelling used in any correspondence. Scammers often use slight differences to trick your eye and gain your trust.
- Be careful what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
Remember, every business is susceptible to fraud. Being diligent and steadfast in your security procedures externally with clients and internally with your co-workers can go a long way in keeping your systems safe and secure. Do not be afraid to ask your internal resources, such as your IT team or security team, if you are unsure about a request. It never hurts to ask.
Finally, ensure all team members are trained on best practices for email and online activity security. Stay safe out there!
*Disclaimer
This Business Email Compromise Action Plan (“Plan”) does not constitute legal advice and is provided for general informational purposes only. Readers should contact their attorney to obtain advice with respect to any particular legal matter. No reader should act or refrain from acting on the basis of information in this Plan without first seeking legal advice from counsel in the relevant jurisdiction. Only your individual attorney can provide assurances that the information contained herein – and your interpretation of it – is applicable or appropriate to your particular situation.
The views expressed are those of the individual authors writing in their individual capacities only – not those of their respective employers, Nacha or the Payments Innovation Alliance. All liability concerning actions taken or not taken based on the contents of this Plan is expressly disclaimed. The Plan’s content is provided “as is” and no representations are made that the content is error-free. Use of and access to this Plan does not create an attorney-client relationship between the reader and the Plan’s authors, contributors or contributing law firms.