5 Tips to Protect Your Business from Email Compromise
By Mark A. Smithey, CISSP, CISA, Senior Vice President and Chief Information Security Officer and Jared B. Wilbur, CFE, Vice President, Corporate Security Governance Officer
Are you leaving your business vulnerable to an email scheme that is causing billions in losses every year? The FBI reports that Business Email Compromise (BEC) schemes have caused an estimated $50 billion in losses worldwide since 2013, with $2.7 billion in losses in 2022 alone. 1 2
(Also see “Protecting Your Business Against the 3 Most Common Types of Fraud”)
What is a Business Email Compromise?
A Business Email Compromise is when a bad actor sends a fraudulent email to a target, requesting a payment to a fraudulent account, or to change instructions on a transaction already in flight. If funds are sent as a result of the scam, the company is responsible for the loss and recovery is unlikely.
How are they done?
There are multiple ways these schemes are carried out.
- Compromised Email Accounts. In recent months, bad actors have used what appear to be trusted email addresses to commit fraudulent transactions by fooling the recipient into providing sensitive information. The bad actor does this by gaining access to and compromising an email account of a trusted third party. They then use this email address to elevate the compromise by either replying to existing emails, or sending an email using the compromised person’s contact list.
- Spoofed email account or website. Slight variations on legitimate addresses ([email protected] vs. [email protected]) fool victims into thinking fake accounts are authentic.
- “Spearphishing” emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information and allow access to company accounts, calendars, and data to carry out BEC schemes.
- Malware. Malicious software can infiltrate company networks and gain undetected access to billing, invoices and data, including passwords and financial account information.
How can I protect my business?
- Educate your employees.
You and your employees are the first line of defense against corporate account takeover. A strong security program paired with employee education about the warning signs, safe practices, and responses to a suspected takeover are essential to protecting your company and customers. - Always verify payment instructions before acting.
- Always verify the identity of the sender before providing sensitive information or performing any transaction.
- If you receive an unexpected email, verify the email address belongs to the sender; don’t just look for their name in the heading. Carefully examine the email address, URL, and spelling used in any correspondence.
- NEVER make a wire transfer, bill payment, or change to payment instructions based solely on an email. Call the requestor back at a number already on file (not from the email) to verify the request is legitimate.
- Never open or download an email attachment from someone, whether you know them or not, if you’re not expecting it. If you’re not sure, reach out to the sender using a known phone number.
- Build controls, including call backs, around changes to client account details or call back numbers. Never accept these changes via email without verifying.
- Be especially wary if the requestor is pressing you to act quickly. Fraudsters often try to create a sense of urgency around the request.
- Keep your email systems secure.
- Use multi-factor authentication, complex passphrases, and special characters to secure access to your email.
- Never reuse passwords across applications or systems.
- Never circumvent dual controls for payment systems.
Although it can be inconvenient, dual controls such as tokens and system approvals are a necessary step in preventing fraud. - Partner with your bank to prevent unauthorized transactions.
Talk to your banker about programs that safeguard you from unauthorized transactions. Positive Pay and other services offer call backs, device authentication, multi-person approval processes and batch limits help protect you from fraud.
What do we do if it happens to us?
It is important that you pay attention to suspicious activity and react quickly. Look out for unexplained account or network activity, pop ups, and suspicious emails. If detected:
- Immediately contact your financial institution to try and recall the funds. Minutes matter.
- File a report with the Internet Crime Complaint Center. This will get your case into a queue with law enforcement and the Financial Crimes Enforcement Network’s (FinCEN’s) Rapid Response Program to pursue possible recovery.
- Stop all online activity and remove any systems that may have been compromised. Keep records of what happened.
Washington Trust Can Help
Fraudsters are becoming more sophisticated in their tactics, making it more difficult for businesses to protect themselves. It’s important to work with a bank that knows you and that you can trust to help keep your business safe. Washington Trust’s Fraud Protection Services help minimize your organization’s risk and provide you with the tools you need to protect your business. And should your business experience fraud, your Washington Trust personal banker will be by your side, walking you through the process to help mitigate risks and losses.
1 FBI: “Business Email Compromise: The $50 Billion Scam”
2 Federal Bureau of Investigation Internet Crime Report 2022
By accessing the noted link you will be leaving Washington Trust's website and entering a website hosted by another party. Washington Trust is not responsible for, nor do we control, endorse or guarantee the content of any external sites. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Washington Trust's website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Washington Trust.
By accessing the noted link you will be leaving Washington Trust's website and entering a website hosted by another party. Washington Trust is not responsible for, nor do we control, endorse or guarantee the content of any external sites. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Washington Trust's website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Washington Trust.
By accessing the noted link you will be leaving Washington Trust's website and entering a website hosted by another party. Washington Trust is not responsible for, nor do we control, endorse or guarantee the content of any external sites. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Washington Trust's website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Washington Trust.
By accessing the noted link you will be leaving Washington Trust's website and entering a website hosted by another party. Washington Trust is not responsible for, nor do we control, endorse or guarantee the content of any external sites. Please be advised that you will no longer be subject to, or under the protection of, the privacy and security policies of Washington Trust's website. We encourage you to read and evaluate the privacy and security policies of the site you are entering, which may be different than those of Washington Trust.
Contact a Trusted Advisor
For more information or to speak with one of our trusted advisors about your unique financial needs, contact us at 800-465-2265 or submit an online form.