Business Email Compromise (BEC) is a sophisticated and increasingly common scam targeting organizations of all sizes in our local communities.

Business Email Compromise (BEC)  

A BEC attack happens when a fraudster obtains access to a business email account and replicates the owner's identity to defraud the company, its employees, customers and partners.

Central Bank’s VP of Security and BSA explains how a BEC attack can occur:

The most popular way hackers gain access to company networks and individual PCs is when an employee clicks on an unsafe link within an email message. This simple and, often times, automatic reaction can give hackers access to all computer programs and files. It allows them to take control of email settings, read all incoming and outgoing messages and set up folders only accessible to the fraudsters.

After they’re in control, hackers can monitor emails and identify upcoming financial transactions like an invoice to be paid by an ACH or wire transfer payment. Hackers can mimic the appearance of those familiar emails and send a follow-up email to inform the recipient that their banking credentials have changed, “We have a new bank! The new routing number is _ and our new account number is _.”

STOP: If you receive an email similar to this scenario, immediately call the invoicing company to verify the changes. DO NOT SEND ANY FUNDS until you can verify the change in bank information is, without a doubt, legitimate.

It’s important that you call the company rather than emailing them. Fraudsters can intercept email chains and reply that the changes are correct, leading to your funds getting in the wrong hands.

Follow these tips to avoid a BEC attack at your office:

• Enable multi-factor authentication for your email system.
• Use strong passwords. Do not use the same password for different systems. If one system gets compromised, hackers can easily gain access to other systems.
• Office 365 encourages customers to prohibit automatically forwarding emails to external domains. Although this sounds simple, it is an excellent way to block hackers from gaining access to incoming mail. 
• Proofread your emails. Scammers know how to make an email look like it’s sent from a recognized business or someone familiar to you. If you receive an unexpected email, check the reply address to make sure it originated from a legitimate email address.
• Do not reply to emails requesting personal or confidential information.
• Don’t click links or download attachments from emails.

Did you know … it takes up to 90 days for the receiving bank to investigate the transaction? Large banks have several departments this process has to go through to complete the investigation. If the attacked business gets any funds back, it will not be a quick turnaround.

If your company has sent funds through fraudulent information, immediately take the following steps:

• Call your bank and inform them of the transactions.
• Contact the police department. 
• Visit www.ic3.gov and “File a Complaint”. The site is monitored 24/7 by FBI agents. When completing the form, fill out all requested information and state if the funds were sent to a foreign bank or a bank in the US. Submit and print your form, and document any file numbers provided to you.

Reach out to your local banker if you have any questions regarding a BEC attack or other financial scam. We’re here to help!