You may receive an email at work that at first glance seems legit. It’s from someone you know – an attorney, a human resources rep, or a known vendor. It could even appear to come from the CEO.
In reality, it is a spoofed email – one created by a fraudster to trick you into sending money and opening the door to your corporate network. This type of scam, known as business email compromise (BEC), can be one of the most financially damaging crimes online, according to the FBI.1
How Does BEC Work?
Scammers get to know their targets so they can fake their identities, even setting up an email address that appears nearly identical to their victim’s. Typically, the domain will be different by just a letter or two, or it may come from the correct email address via another domain.
Once the scammer figures out who has the authority to move money within a company, they’ll try to win trust by sending messages to that person from the fake email account. It’s often successful because recipients recognize the sender and may not notice the discrepancy in the email address.
The scam isn’t always about transferring money. Sometimes it’s used to steal confidential information, tax information, or cryptocurrency wallets.
People in roles that can authorize transfers of funds are frequent victims:
- Executives, whose information is often publicly available;
- Finance employees, like controllers and accounts payable staff, who have banking details, payment methods and account numbers; and
- HR managers who have access to employee records.
Why Is It Dangerous?
Losses from BEC are 80 times greater than for better-known ransomware schemes such as CryptoLocker, WannaCry and TeslaCrypt – totaling more than $2.7 billion in 2022, according to the FBI Crimes Report.2
Despite the success of BEC scams, there are some common-sense things corporations and individuals can do to protect themselves.
“I have the same message for employees and for customers,” says Brittney DeBrouse, staff manager for Corporate and Institutional Banking Fraud Ops Security in Enterprise Technology and Security at PNC. “It is crucial to stay alert for the threat of business email compromise. It’s important to never take an email at face value.” DeBrouse says to always check the email address carefully to see if it’s spoofed.
How Can You Avoid Being Hooked by a BEC Scam?
The FBI provides some other general tips for avoiding BEC scams:
- Verify a request for account changes by using a different channel. For example, you may want to call if you receive the request by email;
- Ensure the URL in emails is associated with the business or individual it claims to be from;
- Be alert to hyperlinks that may contain misspellings of the actual domain names;
- Refrain from supplying login credentials or personally identifiable information (PII) of any sort via email. PII is information that, when used alone or with other relevant data, can identify an individual and ultimately be used for impersonation fraud. Be aware that many emails requesting your PII may appear to be legitimate but exercising caution with your PII is always recommended; and
- Verify the email address when you receive any email, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
If you believe you have been victimized, it is critical to report it as soon as possible. Criminals exploit the time between compromise and response to do as much damage as they can. Time is of the essence. Best practices call for you to:
- Monitor personal financial accounts on a regular basis for irregularities, such as missing deposits; and
- Once you’ve identified an anomaly that suggests possible compromise, you should immediately reach out to your bank so your accounts can be frozen, and immediately report the matter to the FBI’s Internet Crime Complaint Center.
To report suspicious emails, send a message to email@example.com. Learn more about BEC and other types of internet crimes by visiting the FBI’s Internet Crime Complaint Center. You may also visit PNC’s Security and Privacy Center for updates about current scams and best practices for protecting your accounts, your data, and your customers.