Learn how you can protect your business from a common and costly online scam.
As more businesses are turning to digital tools to help streamline their operations, cyber fraud continues to be a serious threat for businesses and business owners alike. Opportunistic fraudsters are taking advantage of business disruptions and digital migration to formulate targeted attacks. One of the most common scams targeting businesses is called the business email compromise (BEC). According to the FBI, there were over 19,000 reported BEC complaints in 2020 with total fraud losses of $1.8 billion. Even if your business has not been hit, you probably know someone who has. Fraudsters will continue to make use of this effective tactic until it stops working. Read on to learn how you can protect your business.
What is the BEC?
The BEC is a scam that targets businesses who regularly make electronic payments (wire transfers and ACH) to suppliers or other businesses. In a typical BEC scheme, the victim receives an email they believe is from a trusted party, like a representative from a company they normally conduct business with or even an executive from their own company, but the email account has been compromised by fraudsters with the intention of tricking the victim into processing a financial transaction. Once the victim has been fooled, the fraudster will direct them to transfer funds or make a payment to an account controlled by the fraudster.
One common example of BEC is called the Bogus Invoice Scheme. This type of BEC scam involves receiving an email from a fraudster impersonating a supplier, client, or vendor. In this fraudulent email, the alleged supplier requests that a fund transfer date be moved up or informs you that the recipient account information has been changed (to an account controlled by fraudsters). The sending email address used by the fraudsters is nearly identical to the real person’s email address but has a slight spelling variation.
BEC Red Flags
There are a number of clues to help identify BEC attempts. These include:
- Unexplained urgency – BEC emails often contain email subject lines that imply urgency regarding payments or fund transfers. Keep an eye out for subject lines like “Payment – Important”, “Fund Payment Reminder”, or “Quick Request”.
- Last minute changes in payment instructions or recipient account information – Many BEC scams play on the unexplained urgency and change in information to lower your guard so that you don’t take the necessary time to confirm payment details with your client, vendor, or supplier.
- High-level executives asking for unusual information – Another aspect of BEC scams is the exploitation of authority within your company. You might be less likely to question a request or confirm payment details if you believe you are dealing directly with the CEO or CFO.
Protecting Your Business
Here are some actions you can take to reduce your risk of falling victim to the BEC.
- Be careful about sharing personal information online or on social media – Pets, birthdays, anniversaries, or family members are all tempting to post about online, but many of these important aspects of your life are used for passwords or security questions to access sensitive information. Think twice about posting this information online and ensure that you use secure passwords.
- Be skeptical of last-minute changes in payment instructions or account information – Be especially wary if the requestor is pressing you to act quickly to confirm a payment or transfer funds. It is best practice to verify any changes and information with your contact directly either by phone or in person — do not contact the recipient through a phone number provided in the email. Never make any payment changes without first verifying the change with the intended recipient.
- Don’t click on links or attachments in an unsolicited email or text message –Links can be sophisticated and appear legitimate. Attachments can contain viruses or malware. Do not fill out any forms contained in these messages, especially if they are asking you to update or confirm your account or personal information.
- Carefully examine the email address, link URLs, and spelling used in any correspondence – Although sophisticated, a key way to identify BEC scams is a misspelling in the sender’s email address, URL or within the body of the message. If the email contains irregular spelling or grammar mistakes, start a new email chain with the real sender to ensure it is the correct address. To test links, hover over the URL to look to see if it is taking you to an unfamiliar site or if there are any spelling errors.
- If you suspect something is amiss, report it internally and immediately contact your bank to make them aware of the situation.
BEC scams aren’t going anywhere, especially now that more businesses are operating remotely. However, the sooner you can detect foul play, the more quickly you can respond to remove the threat and minimize any potential losses.
 “2020 Internet Crime Report”, Internet Crime Complaint Center, FBI, March 2021
This article is for promotional purposes only. Santander Bank, N.A. (“Santander”) does not provide investment, business, financial, accounting, tax, or legal advice and the content of this article does not constitute investment, business, financial, accounting, tax, or legal advice. Santander does not make any claims, promises, or guarantees about the accuracy, completeness, currency, or adequacy of any content. Santander expressly disclaims all express and implied warranties of accuracy, completeness, currency, or adequacy of the information and content in this article. Readers should consult their own attorneys or tax or other advisors regarding the applicability of any referenced information or financial or other strategies to their own unique circumstances. This article does not necessarily reflect the views or endorsement of Santander.
Santander Bank, N.A. is a Member FDIC and a wholly owned subsidiary of Banco Santander, S.A. ©2022 Santander Bank, N.A. All rights reserved. Santander, Santander Bank, and the Flame Logo are trademarks of Banco Santander, S.A. or its subsidiaries in the United States or other countries. All other trademarks are the property of their respective owners.