BBB Alert: Business Email Compromise

A message with the name and signature from your CEO in your inbox isn’t always from who you think it is. It may be an “imposter” email, also referred to as an email masquerade, a business email compromise (BEC) or CEO fraud. This threat is designed to trick the victim into thinking they received an email from an organization leader like their CEO or CFO asking for either: a transfer of money out of the company or employee personally identifiable information (PII) such as W2 forms.

According to the FTC, the scammers have been contacting businesses by both email and phone. When contacting businesses via email, the scammers often make subtle changes to an address, making it difficult to distinguish a fake address from a legitimate one. For example, john@example.com could be altered to john@exanple.com.

Although W2 themes are the latest trend in impostor emails, this type of attack is nothing new although it represents a shift in tactics. Proofpoint researchers describe these scams as “natural extensions of the phishing schemes we have seen for over 20 years”

Whether it’s a BEC, a broader campaign going after HR or finance departments or even more targeted spear-phishing campaigns, all of these threats rely on bad actors convincing users that they are someone else—someone with a legitimate reason for asking for a wire transfer or specific information. Because these emails look and feel legitimate, the email recipient often complies, resulting in attackers receiving funds or confidential information. Typical impostor email requests have:

  • A sense of urgency (e.g. a wire transfer must be made today or information is needed immediately for a review)
  • A sense of secrecy (e.g. the transfer is part of an yet-to-be-announced acquisition and the victim is asked to not speak to others about the request
  • A sender with authority (e.g. the email typically comes from an executive or someone with power within the organization)

These threats are extremely targeted and start with a great deal of research to find the right person within an organization, find out their chain of command, and identify the best time to send the email – ideally when the “sender” is traveling in order to maximize success. But despite the amount of work required, these threats are not seen in low numbers, many thousands of companies get impacted by these threats every month. The FBI initially estimates that impostor emails cost organizations over $2 billion in 2015.

Because these threats rely on social engineering rather than malware, impostor emails can often evade security solutions that look for only malicious content or behavior.

The FTC is offering businesses several tips to ensure their companies don’t fall victim to the masquerade scam:

  • Establish a multi-person approval process for transactions above a certain dollar threshold. Implement a system that requires a valid purchase-order, along with approvals from a manager and finance officer, to spend money
  • Confirm that any request to initiate a wire transfer is from an authorized source within the company.
  • Double- and triple-check email addresses.
  • Slow down. Fraudsters pressure you to take action quickly so you don’t have time to think it through. Take time to verify any request, even an urgent one.

Be suspicious of requests for secrecy. Speak to the executive on the phone or in person. If you still have doubts, speak to another senior executive.

Businesses that think they may have encountered a masquerade scam are encouraged to report the incident to the Internet Crime Complaint Center at www.ic3.gov and the FTC at ftc.gov/complaint. “Businesses can also report the scam on BBB Scam Tracker. By telling BBB about it, it helps us investigate and warn others by reporting what you know,” stated BBB President and CEO Jim Hegarty.

ABOUT BBB: Better Business Bureau has been assisting U.S consumers and businesses since 1912. It is a private, nonprofit organization dedicated to advancing trust in the marketplace. In 2015, people turned to BBB more than 165 million times for BBB Business Reviews on more than 4.7 million businesses and Charity Reports on 11,000 charities, all available for free at bbb.org. Today, BBB serving Nebraska, South Dakota, The Kansas Plains and Southwest Iowa is supported by approximately 10,000 Accredited Businesses that have voluntarily committed to adhere to BBB’s Standards of Trust.


Click this link to see all of Better Business Bureau® News & Info on Strictly Business