SACRAMENTO—During National Cyber Security Awareness Month (NCSAM), the Federal Bureau of Investigation (FBI) Sacramento Field Office is reminding the business community about business email compromise (BEC). BEC is a sophisticated scam targeting anyone who performs legitimate electronic payments such as wire or automated clearing house transfers. In a typical BEC scheme, the victim receives an email they believe is from a company they normally conduct business with, but this specific email requests funds be sent to a new account or otherwise alters the standard payment practices.

BEC has been a major concern for years. In 2019, the FBI Internet Crime Complaint Center (IC3) recorded 23,775 complaints and more than $1.7 billion in losses due to BEC fraud schemes. In April 2020, the IC3 issued a public service announcement alerting the business community about an anticipated rise in BEC due to uncertainty surrounding the COVID-19 pandemic. At the time, IC3 had seen an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19.

“Business email compromise is a serious, ever-evolving cyber threat that can have a serious impact on any business but can be particularly devastating to small businesses,” said Special Agent in Charge Sean Ragan of the FBI Sacramento Field Office. “Every business should take steps to protect itself against BEC, train employees to recognize the ‘red flags’ that communication may be part of a BEC scheme, and immediately report any BEC incident to aid recovery and help identify cyber criminals to protect other businesses from victimization.”

BEC scams generally fall into three main categories: spoofing, spearfishing, and malware.

Spoofing an email account or website involves the use of slight variations of legitimate addresses to fool victims into thinking fake accounts are authentic (e.g. john.kelly@examplecompany.com versus john.kelley@examplecompany.com).

Spearfishing email messages look like they’re from a trusted sender such as the CEO or finance manager to trick victims into revealing confidential information. This information then enables criminals to access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.

Malicious software, also called malware, is often installed via links or attachments in unsolicited email. The malicious code infiltrates company networks, gaining access to legitimate email threads about billing and invoices. That information is then used to time requests or send messages so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

The FBI advises businesses and their personnel to be on the lookout for the following red flags:

• Unexplained urgency
• Last minute changes in wire instructions or recipient account information
• Last minute changes in established communication platforms or email account addresses
• Communications only in email and refusal to communicate via telephone or online voice or video platforms
• Requests for advanced payment of services when not previously required
• Requests from employees to change direct deposit information.

The FBI recommends the following tips to help protect yourself and your assets:

• Enable multi-factor authentication for all email accounts that allow it and do not disable it.
• Be skeptical of last-minute changes in wiring instructions or recipient account information
• Verify any changes and information via the contact on file—do not contact the vendor through the number provided in the email
• Ensure the URL in e-mails is associated with the business it claims to be from
• Be alert to hyperlinks that may contain misspellings of the actual domain name
• Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s email address appears to match who it is coming from.

If you discover you are the victim of a fraudulent incident, immediately contact your financial institution to request a recall of funds and your employer to report irregularities with payroll deposits. As soon as possible, file a complaint with the FBI’s Internet Crime Complaint Center at ic3.gov or, for BEC and/or email account compromise (EAC) victims, bec.ic3.gov.