Tips to Protect Against Business Email Compromise Schemes

November 8, 2018

More than $675 million last year was stolen last year due to Business Email Compromise (BEC) schemes, according to the FBI. That number jumps to an estimated $5 billion since 2013. Because of this threat, companies should review both their internal training as well as their technical safeguards to prevent these types of hacks.

Here are some tips to protect your operation against BEC attacks:

  • Establish a company domain name and use it to establish company email accounts instead of free web-based email accounts.
  • Create intrusion detection system rules that flag emails with extensions that are similar to your company’s. For example, legitimate email of abc_company.com would flag fraudulent email of abc-company.com.
  • Create an email rule to flag emails where the “reply” email address is different than the “from” email address shown.
  • Color code emails from your employee/internal accounts a different color than those from non-employee/external accounts.
  • Be careful posting to social media and the company’s website information about job duties and descriptions, hierarchical information and out-of-office details that can give criminals the information they need to impersonate a trusted counter party.
  • Train your team to scrutinize all emails and not be afraid to use face-to-face or voice-to-voice communications when in doubt.
  • Be wary of irregular emails sent by high-level executives, as they can be used to trick employees into acting with urgency.
  • Review and verify emails requesting funds to determine if the requests are out of the ordinary.
  • Confirm requests for transfers of funds by using phone verification as part of a two-factor authentication; use previously known numbers, not the numbers provided in the email request.
  • Verify any changes in vendor payment location by following a call back procedure using contact information on file or having secondary sign-off by company personnel.
  • Similarly, stay updated on customers’ habits, including the details and reasons behind payments.

If your company has suffered a BEC or wire fraud attack, follow ALTA’s Rapid Response Plan for Wire Fraud Incidents. Also, file a complaint with the FBI at www.ic3.gov.


Contact ALTA at 202-296-3671 or communications@alta.org.