For almost anyone who works in an office, receiving a flood of emails is just part of the daily routine.
And while working through them as efficiently as possible is also part of the job, responding quickly sometimes means we aren't taking time to verify every email coming in.
For example, what if you were to get a message from your boss asking you to pay an overdue invoice from a new vendor? Chances are you'd make that a priority. But it's possible that the email didn't actually come from your boss, and if you're not careful, it would be easy not to notice it could have been sent by a fraudster trying to scam your company.
This is a common tactic called a business email compromise (BEC) scam, and unfortunately, it's often very effective.
Out of over 40 fraud types, BEC is the second most common type of monetary loss reported to the Canadian Anti-Fraud Centre (CAFC). But with increased awareness, it can be prevented.
Between 2013 to 2018, BEC scams have caused US$12.5-billion losses to companies globally according to the U.S. Federal Bureau of Investigation (FBI).
"Virtually every type and size of business is vulnerable to business email compromise scams," says Dennis Parker, Vice President, Business Banking at TD.
"Unfortunately, it doesn't take a lot of technical savvy to trick people into making fraudulent payments."
How the scam typically works
BEC scams generally start with reconnaissance. Fraudsters may spend weeks harvesting information from your company website, social media, press releases and other reliable sources, and sometimes even intercepts email exchanges before deciding who to target and when to strike.
At the same time, fraudsters need to determine who to impersonate – usually a senior leader, known vendor or employee – and whether they will hack or spoof that person's email account.
What typically happens next is the fraudsters craft a well-timed email with an urgent and authoritative tone that instructs their target to:
- Pay an invoice via wire payment or electronic funds transfer (EFT),
- Update account information for existing vendors, or
- Update employee payroll information
It is usually an email that appears to come from someone you know, has a sense of urgency, and sounds confident and convincing. The email is a piece of cleverly tailored social engineering, designed to make the recipient act on instructions and reluctant to question its contents before taking action.
How to protect yourself and your business
- Don't assume that email is a secure way of communicating – it's easy for a fraudster to spoof an email address
- Encourage a questioning culture within your business – employees should feel confident in being able to question an unusual request
- Pick up the phone or speak in person to confirm payment instructions received by email
- Establish policies and procedures to validate changes to vendor or employee information
- Treat emails that ask for information related to account numbers, banking or other financial information as red flags
- Ask your bank about additional security features like dual-authentication to reduce your chances of being impacted by fraud
If you think you've been the victim of a business email compromise scam
Report it: BEC scams are a criminal offense. Even if funds weren't transferred, report the incident to local police, your financial institution and the Canadian Anti-Fraud Centre. These reports are valuable tools for investigators.
Talk about it: If you've fallen victim to a scam or even received a spoofed email, tell your story. Knowledge is power. Spreading the word helps prevent others from falling victim to these scams.