Business Email Compromise (BEC) scams involve a con artist impersonating someone with decision-making authority by using a hacked or spoofed email account. Before contacting the targeted victim, the fraudster often does his or her homework by finding out the names and job functions of employees within an organization. They then use that information to impersonate an executive or another member of the leadership structure. This is done by hacking into their real business or personal email account or by making up a fake account with an address that resembles one an executive might really use.
According to a
report issued by the Better Business Bureau, BEC scams are “skyrocketing” in number and have cost legitimate businesses and organizations more than $3 billion since 2016.
For example, imagine a local church that has its staff and pastor’s email addresses listed on its website. Using this directory, a BEC scammer could impersonate the pastor and make up an email to send to someone with access to the church’s funds, such as a treasurer or secretary. The scammer might, for instance, draft an email directing the secretary to buy gift cards for parishioners who are in need. This scheme might even be timed perfectly to be executed when the pastor is really out of the office, making it plausible that he or she might need the assistance of staff. After buying the gift cards and sending the numbers, the money is gone and in the hands of the scammer.
Another BEC scam scenario involves the sale of a home, where the scammer impersonates a real estate agent or title company employee. While playing the role of the agent or title employee, they could claim that money from the transaction needs to be wired ahead of time to a new account. But in reality, the account was set up by the scammer to receive the payment from the unsuspecting homebuyer, and the money is now gone.
Human resources staff for an organization are also at risk of being targeted by versions of the BEC scam. These employees may receive an imposter email from their HR director asking for employee tax information. Or, they may get a fake email that appears to be from a real employee, asking for future payroll to be sent to a new account by direct deposit. Unsuspecting HR staff might fulfill such requests, unintentionally helping the BEC scammer uncover personal information they can use in a tax identity theft scam or to steal money from the company.
Some tips to help recognize a BEC scam include the following:
- If you own a business or run an organization of any size, maintain a strong, secure network to help prevent hacking into your system.
- Use multifactor authentication for employees to log in to the network or change settings. Multifactor authentication can require employees to, for example, input a one-time access code sent to their smartphone. Requiring this code in addition to the correct password will help defend against intruders trying to gain access to the network.
- Require emailed instructions to be verified through a follow-up telephone conversation, especially for departments that perform financial tasks or handle sensitive information, such as employee data.
- Train all leaders and staff to know how BEC scams work as part of their internet/data security training.
Consumers who suspect an unfair business practice or want help addressing a consumer problem should contact the Ohio Attorney General’s Office at
www.OhioProtects.org or 800-282-0515.