Smart Ways for Small Businesses to Avoid Business Email Compromise (BEC) Scams

It's always prudent for business owners to be on the lookout for potential scams and attempts to defraud their company. But, with many employees now working from home and an increased risk of possible confusion due to the COVID-19 pandemic, the Federal Bureau of Investigation (FBI) warns that many hackers and scammers have begun adjusting their messaging to capitalize on concerns related to coronavirus.

One type of scheme in particular—business email compromise (BEC) scams—has become much more common, according to the FBI. This scam may take various forms but, in most cases, the goal is to trick employees with access to company finances into performing wire transfers to accounts owned by criminals. Often, victims will receive an email they believe is from a business partner or client they normally conduct business with, but this specific message requests that money be directed to a new account or to otherwise alter regular payment practices.

For example, employees working for a financial institution recently received an email that appeared to be from the company's CEO. (Scammers used an email address nearly identical to the CEO's actual email address, with only a single letter changed.) The "CEO" asked the employees to move up the date for a previously scheduled $1 million payment and change the recipient account “due to the coronavirus outbreak and quarantine processes and precautions."

In another instance, a fraudster claiming to be a client from China emailed a business and requested that all invoice payments be directed to a different bank account because of “coronavirus audits." The victim sent multiple wire transfers to the new account, resulting in a significant loss, before they discovered the scam.

The FBI recommends businesses be on the lookout for red flags, including:

• any unexplained urgency in communication
• requests for advanced payment of services (when not required previously)
• requests for employees to change direct deposit information

Other possible warning signs include sudden changes in wire instructions, recipient account information, established communication platforms or specific email account addresses. Be cautious of email-only communication or any refusal to communicate via phone call, online voice or video platforms, such as Zoom or Skype.

To protect yourself, your company and your assets, the FBI suggests the following tips:

• Be skeptical of any last-minute changes in recipient bank account info.
• Verify any changes by reaching out to vendors or clients through contact information previously on file (rather than numbers provided in a new email).
• Make sure all URLs and hyperlinks are spelled correctly and associated with the correct businesses.
• Match email addresses to the correct sender, confirming independently if necessary.

For more information about COVID-related scams and federal resources available to assist, visit the FBI's coronavirus page. If you believe your company has been the victim of a fraudulent scheme, file a report with the FBI's Internet Crime Complaint Center as soon as possible at the FBI's Internet Crime Complaint Center. For BEC or email account compromised-specific victims, visit this complaint referral form.