Check your email for criminal compromise

May 2021

Email underpins so much of our business dealings today – from initial interactions to scheduling, transactions, and customer service. The necessity of email means keeping corporate accounts secure is essential. Yet, business email compromise (BEC) is one of the most common and financially damaging cybercrimes. According to the Association for Financial Professionals “Payments Fraud and Control Survey” report, 76% of organizations were targeted by BEC in 2020.¹

What is Business Email Compromise?

In a BEC scenario, scammers send an email message that appears to come from a known source and contain a legitimate request. For example, the email may look like it’s coming from a vendor that is requesting updated payment information on a new online system.

BEC typically targets companies that make electronic payments to vendors domestically or internationally. Scammers trick an employee into authorizing a wire transfer or ACH payment. According to the FBI's Internet Crime Complaint Center (IC3), BEC scams grew 100% from 2018 to 2019 causing a loss of more than $26 billion dollars from 2016 to 2019.²

Tactics for BEC include:

Spear phishing emails, which look like they are from a trusted sender to trick victims into revealing confidential information that allows access to company accounts, calendars, and data. Spear phishing targets company officials (typically an individual in the finance department).
Malware that infiltrates company networks and allows access to legitimate email threads about billing and invoices. With this information, scammers can time requests so they don’t appear suspicious.
Spoofing an email account or website using similar domain or company names (e.g., slight misspellings of actual vendor names).
Using a compromised email account from a legitimate business contact to generate false invoices and request payment information.

A new and growing area of opportunity for cybercriminals are BEC scams that target investors who are part of a pending deal. The scammers issue fake “capital call” emails requesting immediate wire transfers to complete the investment. These scams generate payouts that are many times higher than a typical vendor payment scam.

“Many legitimate business payment interactions originate in emails, but it’s important for employees to be aware of the threat of compromised emails and know what to look for before sharing financial information or sending payments,” said Kelly Uhrich, Deputy Chief Information Security Officer.

How to Protect Your Company from BEC

Emails are a necessary part of business, which means protecting your company from fraud or loss due to BEC is necessary, too. Begin with making sure employees are aware of the threat of BEC. Create solid internal controls such as:

Authenticate any requests to make a payment or change payment information by contacting sender at a known contact number (e.g., phone).
Carefully review and confirm email addresses or domains are spelled correctly.
Never share account information or passwords with unconfirmed recipients.
Review accounts frequently for out of the ordinary transactions or unusually timed requests.
Initiate payments using dual controls.
Use accounts payable automation to help secure payments processes from end to end, track transactions and data to identify outliers, and authenticate vendors and payment requests.

The KeyBank Information Security and Fraud team keeps track of the evolving threats from cybercriminals to help protect your organization from costly fraud incidents such as BEC scams. For more information on how to keep your business information secure, please visit us at key.com/cybersecurity.