Protect Your Business Against Email Compromise

According to the FBI, business email compromise (BEC) is one of the most financially damaging online crimes. Also known as email account compromise (EAC), it exploits the fact that many individuals rely on email to conduct personal and professional business.

What is business email compromise?

Business email compromise is when a malicious actor gains access to an employee’s business email account and uses that account to commit fraud. Email credentials can be obtained by a malicious actor in many ways. Most commonly it is done through phishing, which is when an email containing a malicious link or attachment is sent to the victim. Credentials can also be stolen through improper storage, such as having them written down on paper. If the same password is used across multiple sites and systems, a data leak from one of those systems can give the fraudster a password that they will then try on other sites until it works.

What happens once you’re compromised?

Once they have access to your email, the malicious actor may take some or even all the following actions:

• Send an email to an HR or Accounting team member requesting changes to direct deposit information.

• Use email access to reset passwords in other systems to gain access.

• Send fraudulent emails to vendors, customers, or the person’s bank requesting the transfer of funds. Sometimes the emails are social engineering emails sent to the person’s contacts, hoping to find more victims.

• Create email rules that will forward incoming emails to another (fraudulent) address without you knowing. This way, even if they lose access to the compromised account, they will continue to see their emails.

How can you prevent it?

There are several best practices that can help prevent email compromise.

• Train team members to be aware of these types of fraud.

• Utilize multi-factor authentication for accessing email. That way, even if a fraudster obtains your password, they will not be able to get in.

• Avoid re-using passwords across multiple sites and systems. If remembering them is difficult, utilize a tool such as a password manager.

• Be on the lookout for social engineering emails (also called phishing) and never click a link or enter credentials unless you are confident that the source of the email is legitimate.

• Implement dual controls with your accounting department and vendors that require all email requests to be followed up with a call to a known phone number.

• Establish procedures to follow in the event an email account is compromised at your business. Make sure it includes checking for fraudulently created email forwarding rules.

For more information on how business email compromise works and how to report this type of crime, visit www.fbi.gov/scams-and-safety/common-scams-and-crimes/business-email-compromise.

Helping you protect your company’s financial information is important to us. For additional information on how to protect your accounts, visit www.EnterpriseBanking.com/security.

More Learning

Protect Yourself from Tech Support Scams

Computers and smartphones have become an important part of daily life for most people. Tech support scammers know this and will prey on reliance on these devices.

What is the Deal with Leap Year?

Approximately every four years, February has 29 days instead of 28 and the year has 366 days. The extra day is called “leap day” and the year it happens is called “leap year.” But why do we have this?

Banking 101: What is an IRA?

An IRA is an Individual Retirement Arrangement set up with a financial institution that allows someone with earned income to save money for retirement.

Do you want to call or text us?

Call Us Text Us

Leaving Site Confirmation