What Are Business Email Compromises?

Business Email Compromises (BEC), also known as Email Account Compromises (EAC), pose a significant threat for businesses. These scams primarily target companies through email: The criminals behind BEC scams often act as trusted sources, such as company owners and executives, coworkers, vendors, or clients. They send emails that appear to be legitimate requests for sensitive and confidential information, or even a transfer of funds. And while your business might be safe, you need to verify your vendors also have Cyber Security in place, because a compromised vendor could then target your business. These scams exploit the reliance on email for business communication, and typically result in substantial financial losses.

Types of Business Email Compromises

There are three key BEC scams to watch out for:

• Spear-phishing: A scammer will pretend to be a trusted contact, such as a company executive, in order to trick people into complying with their requests.
• Spoofing: A scammer will impersonate a trusted source, specifically by creating email addresses that are very similar to those of the trusted source. For instance, you could use a capital “i” rather than a lowercase “L” to impersonate merit@meritsolutions.net.
• Malware: A scammer sends fake links or data to an unsuspecting user, who downloads software (malware) that allows the criminal to access and mine sensitive data and compromises your business email and other accounts.

Scammers move down through the food chain

Your business might have done all the right things. You might have Cyber Security and cyber insurance. But what about your vendors? Ask your key vendors and business partners if they have implemented a Cyber Security plan, because if you transact with a company who does not have an active Cyber Security program, bad actors might be watching your emails to your vendor. Here are a few key things to watch out for when evaluating the validity of a funds transfer:

1. Be extra vigilant of any vendor suddenly providing new bank information: Businesses rarely change banks, so don’t instantly believe a recipient saying they have a new bank account.
2. Validate urgent requests: Be cautious if you receive unexpected requests for money transfers. Verify the legitimacy of the request before acting. 
3. Be wary of alarm and urgency: Subject lines with “Urgent” or “Help Needed” indicate a potential red flag, especially if that’s out of character for the person you’re corresponding with. Scammers want you to react quickly without thinking your actions through, so take a moment to evaluate if this request seems off.
4. Watch for suspicious domains: Be extra cautious when emailing users with public domain email addresses or unusual top-level domains. (For example, businessowner@microsoftonlineemail.com)

Watch out for the following communication red flags in emails and other messages:

1. Generic or overly personalized greetings.
2. Grammar and/or spelling mistakes.
3. Inappropriate requests for sensitive information.
4. Incorrect sender’s email address.
5. Suspicious URLs or attachments. (www.fdkrlelsprobv.com)

How to protect your business from Business Email Compromises

The following tips will help ensure you protect your business from these scams:

1. Verify recipient information: Always double-check that the recipient’s name, account number, and routing number match exactly before sending a wire transfer.
2. Call and speak with the other party: Always call and speak to the requestor to confirm the validity of the request, link, and any other information within the request. Use a phone number that you already have for that contact, not one provided within a suspicious email.
3. Enable two-factor authentication: Add an extra layer of security by enabling two-factor authentication for your financial transactions.
4. Use a secure network: Conduct wire transfers over a secure network and avoid public Wi-Fi or unencrypted connections.
5. Monitor accounts regularly: Keep a close eye on your accounts. Detect any unusual activity promptly.

Call your IT vendor if you have reason to be suspicious

1. Work with MERIT: Request MERIT’s assistance in reviewing any communication or links prior to engaging with the request.  
2. Cybersecurity insurance: Verify your business is protected with the right coverage in the event of fraud. Review with your Cybersecurity Insurance Provider and MERIT’s CISO.

What to do in the event of a Business Email Compromise scam

If you suspect a Business Email Compromise, take immediate action:

1. Contact MERIT: Inform MERIT immediately, so we can work with you to review, mitigate, and monitor your infrastructure.
2. File a complaint: Report the incident to relevant authorities. You may also need to legally notify any impacted parties.