According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes. Also known as email account compromise (EAC), it exploits the fact that many individuals rely on email to conduct personal and professional business.
What is business email compromise?
Business email compromise is when a malicious actor gains access to an employee’s business email account and uses that account to commit fraud. Email credentials can be obtained by a malicious actor in many ways. Most commonly it is done through phishing, which is when an email containing a malicious link or attachment is sent to the victim. Credentials can also be stolen through improper storage, such as having them written down on paper. If the same password is used across multiple sites and systems, a data leak from one of those systems can give the fraudster a password that they will then try on other sites until it works.
What happens once you’re compromised?
Once they have access to your email, the malicious actor may take some or even all the following actions:
• Send an email to an HR or Accounting team member requesting changes to direct deposit information.
• Use email access to reset passwords in other systems to gain access.
• Send fraudulent emails to vendors, customers, or the person’s bank requesting the transfer of funds. Sometimes the emails are social engineering emails sent to the person’s contacts, hoping to find more victims.
• Create email rules that will forward incoming emails to another (fraudulent) address without you knowing. This way, even if they lose access to the compromised account, they will continue to see their emails.
How can you prevent it?
There are several best practices that can help prevent email compromise.
• Train team members to be aware of these types of fraud.
• Utilize multi-factor authentication for accessing email. That way, even if a fraudster obtains your password, they will not be able to get in.
• Avoid re-using passwords across multiple sites and systems. If remembering them is difficult, utilize a tool such as a password manager.
• Be on the lookout for social engineering emails (also called phishing) and never click a link or enter credentials unless you are confident that the source of the email is legitimate.
• Implement dual controls with your accounting department and vendors that require all email requests to be followed up with a call to a known phone number.
• Establish procedures to follow in the event an email account is compromised at your business. Make sure it includes checking for fraudulently created email forwarding rules.
For more information on how business email compromise works and how to report this type of crime, visit www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise.
Helping you protect your company’s financial information is important to us. For additional information on how to protect your accounts, visit www.EnterpriseBanking.com/security.