You may have heard the tale of someone receiving an email from a Nigerian prince, promising them a million dollars if they respond with their bank details. Or maybe a relative has gotten a text saying they’ve won a sweepstakes, and all they need to collect is to click on the link in the message.
These are some of the earliest ways scammers have attempted to cheat people out of their money using the anonymity of technology. In recent years, scammers have gotten more sophisticated, targeting businesses and even whole government entities. Today, business email compromise (BEC), also called email account compromise (EAC), is one of the most lucrative crimes for cybercriminals.
Common Scams Used in Business Email Compromise
There are a variety of techniques criminals use to capitalize on compromised emails accounts. The most common way involves scammers disguising themselves as legitimate businesses or personal contacts, gaining the trust of a target in order to exploit and defraud them.
Criminals may attempt a BEC scam by:
- Cloud compromise. Any business that relies on cloud-based email services should implement strict security measures to prevent hacking. Criminals could potentially see the communications of anyone on your company’s hosted server, including calendar events, directories, online file storage, and instant messaging.
- Impersonating a vendor. Once a criminal has gained access to a company’s email database, they can see which vendors your company uses. They then send an invoice to your accounts department from an email address that’s almost identical to the legitimate company’s address. These emails often claim that the vendor’s mailing address or banking information has changed, and that pending or future payments should be redirected to new (fraudulent) accounts.
- Unauthorized forwarding. Some criminals use phishing tactics to obtain an employee’s email account login and password. Using the correct credentials, scammers can send and delete emails from the legitimate account or set up automatic forwarding to an outside email address.
- Similar targets. Company address books, customer lists, and online directories are particularly valuable to cybercriminals. If one attempted scam falls through, criminals can work their way down a list of potential new targets, defrauding businesses and contacts across your industry.
- Gift card transactions. Some scammers have turned to gift cards as an easy way to launder misappropriated funds. A phishing email may request that an employee purchase gift cards as prizes for an upcoming charity event. The scammer sends another email asking for the serial numbers so the cards can be recorded in the company ledger, or so the employee can be reimbursed. Once the scammer has the numbers, they quickly spend the balance, leaving the victim out of pocket.
- Requests for protected information. Scammers may pose as trusted professionals, such as corporate lawyers, doctors, or government entities to obtain information that would otherwise be difficult to get online. For example, rather than attempt to hack a high-level government server, a scammer can send an email that appears to be internal, asking your employees to “confirm” their W-2 information.
- Exploiting online payment systems. Companies that conduct the majority of their financial business online, engage foreign suppliers, or regularly perform wire transfer payments are particularly at risk of theft. Online transactions clear almost instantly, making it difficult for victims to recall or cancel unauthorized transfer of funds.
Take Action Now to Recover from a Fraudulent Transaction
If you have noticed an unauthorized payment, you should contact your financial institution immediately to freeze or recall the transaction. You should also contact the U.S. Internet Crime Complaint Center or your local FBI field office to report BEC attempts or actual fraudulent transfers. While you work with the authorities, its a good idea to have an attorney by your side to explain your options and seek compensation for your losses.
The attorneys at DeLoach, Hofstra & Cavonis, P.A. offer free case evaluations for victims of Business Email Compromise (BEC) and Email Account Compromise (EAC) who have experienced wire fraud. Contact us today to set up a consultation and see what you may be able to recover.