According to the FBI, BEC (Business Email Compromise) scams are the most financially damaging cybercrime. In 2020 alone, BEC scammers stole $1.8 billion. Even Facebook and Google have fallen victim to these email scams, collectively losing around $121 million. But what are BEC scams exactly, and why are they so effective? BEC scams are emails from a trusted source (usually a business you regularly work with) making a seemingly legitimate request to send money. Because the email appears to be from a familiar source, the request is often not questioned.

Knowing what they look like is one of the best defenses against these scams. Listed below are common methods used for BEC scams:

1. Fake Invoice or Bills An example of this would be receiving an email regarding a past due invoice or bill, such as an unpaid mortgage payment. The email might instruct to wire the payment instead of using the normal payment method.

2. Impersonating Another common method for scammers is to impersonate an email account of a CEO, executives, or even an accounts receivable representative. The scammer will create an email address that is similar to a recognizable one, then ask you to purchase gift cards for employees or wire money to a new account.

3. Email Account Compromise (EAC) Sometimes the scammers will actually hack employee email accounts. The scammers will watch email activity and learn patterns of the employee. Once the scammer discovers an opportunity, they will typically request a change to wire instructions or account numbers.

BEC scams are frightening and hard to notice if you don’t know what to look for. Here are a few tips to protect your email account and help you identify this type of scam.

What YOU can do to avoid becoming a Victim of a BEC scam:

1. Make sure your passwords are secure First, ensure your passwords can’t be easily hacked based on your personal information. Where you went to school, the year you graduated, your pet’s or children’s name, and your birthday are all pieces of information that can be relatively easy to find on the internet. Second, avoiding using the same password for multiple account logins is best. Check the strength of your password here.

2. Look out for red flags The first red flag to look out for is in the subject line. Usually, it will include words like “request,” “transfer,” “payment,” and most notably-- “urgent." Another red flag is any request to go outside usual channels. Most requests for money will come from an accounting system, not from an executive in an email. The last red flag to look out for is mandated confidentiality. If the email instructs you to not talk to anyone else about the request, it’s probably a scam.

3. Mismatch email addresses Look for mismatched email addresses. Though the email initially appears to be from a trusted source, pay careful attention to slight variations that may be used to trick you. For example, the email could be sarah.kelley@example.com instead of sarah.kelly@example.com. Or, instead of mitch.abrams@yourbusiness.com, scammers could use mitch.abrams@mitchsmailservice.com. If you are unsure of an email address, call the person trying to contact you (using a phone number other than the one provided in the email) to verify it’s them before sending money or confidential information.

4. Unusual requests Be cautious of unusual requests to send money or information from a family member, a colleague, a high-level executive, or a government official. If you are unsure about a request, don’t hesitate to contact the person over the phone or in person. It’s better to be safe than sorry.

5. Go straight to the source If you get an email requesting money (bills, mortgage payments, etc.), go directly to the company website and log in. Do not click the link in the email because it could misdirect you to a similar-looking site or attempt to phish your information. It is always a good practice to call to verify information

6. Call before you send In some cases, wire and ACH instructions can be modified before you receive them. If you receive an email with instructions to send a payment via a wire or ACH, it is always a good practice to call to verify the account information at a trusted number.

If you get a request for money in your inbox, think before you act. By slowing down and taking the time to consider the nature of the request, you’ll be able to decipher what is a scam and what isn’t.

How to Report

If you or your company fall victim to a BEC scam, it’s important to act quickly:

• Contact your financial institution immediately and request that they contact the financial institution where the transfer was sent.

• Next, contact your local FBI field office to report the crime.

• Also, file a complaint with the FBI’s Internet Crime Complaint Center (IC3).