The BUSINESS EMAIL COMPROMISE Scam
August 12, 2016
Potential Targets and Methods
- Businesses and personnel using open source email
- Individuals responsible for handling wire transfers within a specific business
- Spoof emails that very closely mimic a legitimate email request (e.g. "Code to admin expenses" or "Urgent wire transfer")
- Fraudulent email requests for a wire transfer are well-worded, specific to the business being victimized
IT & Finance Security
- Establish more than one communication channel to verify significant transactions
- Use digital signature on both sides of transactions
- Immediately delete unsolicited email (spam) from unknown parties
- Forward emails and include the correct email address to ensure the intended recipient receives the email
- Remain vigilant of sudden changes in business practices
Protecting Your Organization
- Avoid free web-based email if possible
- Establish a company website domain and company websites
- Be careful what is posted to social media and company websites
- Be suspicious of requests for secrecy or pressure to take action quickly
- Separate your computer devices from Internet of Things (IoT) devices
- Disable the Universel Plug and Play protocol (UPnP) on your router
Internet Crime Complaint Center
If you believe your business is the recipient of a compromised email or victim of a BEC scam, file with the Internet Crime Complant Center (IC3) at www.IC3.gov. Be descriptive and identify your complaint as "Business Email Compromise" or "BEC."
For questions or assistance, locate and contact your local FBI field office at www.fbi.gov
Source: U.S. Department of Justice, FBI, Office of Private Sector