Protected Voices: Business Email Compromise
The FBI’s Protected Voices initiative provides cybersecurity recommendations to political campaigns on multiple topics, including business email compromise, to help mitigate the risk of cyber influence operations targeting U.S. elections.
Video Transcript
Hello, I’m Jay, a program coordinator for the FBI. In this video, I will discuss how to recognize and protect your campaign from a type of fraud known as a business email compromise.
In a business email compromise scheme, the hacker gets to an organization’s email system and, after watching and studying the normal course of business for a little while, injects his or her own email text into a conversation.
How might this happen in a political campaign? A hacker could use a vendor’s own email account to send new payment instructions to the campaign’s billing office. If the instructions come from a known email account, the campaign might be fooled into honoring them.
Want some real world examples?
One U.S. business was buying products from its regular Chinese manufacturer when it was tricked into wiring a payment of more than $150,000 to a fraudster’s account in a bank not used by the Chinese business.
Another U.S. business lost $140,000 after negotiating a deal with a vendor and paying $20,000 for the initial fees. After the initial fees were paid, a fraudster—who’d hacked into the vendor’s account—instructed the U.S. business to make the final payment to a Hong Kong bank account he controlled.
Business email compromise has evolved from an email spoofing scam—where a fraudster creates a spoofed email that looks like the original, by, for example, replacing the letter “o” with the number zero.
Political campaigns could be vulnerable to business email compromise because of the constant flow of money into the campaign from relatively unknown donors and the large number of invoices from vendors throughout the campaign.
Protecting yourself from business email compromise is a two-front effort. You need to defend your own email accounts to keep a hacker from impersonating you. Get into a habit of evaluating incoming emails for compromise.
Here are some specific steps your campaign can take to protect itself from business email compromise:
Lock down your campaign’s email accounts. Use multi-factor authentication, strong passphrases, and secure Internet connections. See our other Protected Voices videos for help.
Keep campaign accounts separate from personal accounts. While any email can be compromised, separating accounts minimizes the number of entry points and keeps problems from spreading.
Establish out-of-band communication. Use some other form of communication, such as a telephone call, to verify transactions over a particular dollar amount. And set up this verification process early in the campaign’s relationship with the firm in question. Furthermore, don’t use email to set up the verification process.
Confirm significant changes. Beware of sudden changes in business practices. For example, if a campaign vendor suddenly asks the campaign to contact him or her at a personal email address when all previous official correspondence has been on a company email, verify via other channels that you are still communicating with your legitimate business partner.
Consider using forward instead of reply. Instead of hitting reply on important emails, use the forward option and either type in the correct email address or select it from your email address book to ensure you’re using the real email address.
Consider adding a banner to flag emails that come from outside your campaign. This is a simple way to remind campaign staff members and volunteers to give a little extra scrutiny to external emails. It can also identify when an adversary creates a fraudulent domain that looks similar to the campaign’s legitimate domain.
Business email compromise can be both expensive and embarrassing. Fortunately, there are many steps your campaign can take to lower your risk.
Remember, your voice matters, so protect it.
Video Download
Video Source
Recent Video
- 01.16.2025 — Trailer for In the Aftermath
- 01.16.2025 — Trailer for Echoes of Columbine
- 01.15.2025 — Ahead of the Threat Podcast: Episode Six - Charles Carmakal
- 01.14.2025 — Violence Against American Indian or Alaska Native Females, 2021 – 2023
- 01.13.2025 — FBI Director Christopher A. Wray's Farewell
- 01.05.2025 — Video Footage Related to Bourbon Street Attack in New Orleans
- 01.02.2025 — January 5 Pipe Bomb Investigation: Additional Details and Footage of Suspect
- 12.31.2024 — January 5 Pipe Bomb Investigation: New Footage of Suspect Placing Bomb at DNC
- 12.19.2024 — Oak Ridge Boys Fight Elder Fraud
- 12.18.2024 — Director Wray’s Full Remarks for the FBI All-Employee Town Hall Address
- 12.18.2024 — Ahead of the Threat Podcast: Episode Five - Rachel Lavender
- 12.13.2024 — FBI Seattle Holiday Scams
- 12.12.2024 — Trailer for The Shift That Never Ended: Stories of Resilience
- 12.11.2024 — Remarks from FBI Director Christopher Wray
- 12.04.2024 — Ahead of the Threat Podcast: Episode Four - Wendi Whitmore
- 12.03.2024 — FBI Richmond Citizens Academy: Building Impact.
- 12.03.2024 — Inside the FBI Podcast: The Counterterrorism Division Turns 25
- 11.21.2024 — FBI Director Wray Delivers Remarks at FBI Agents Association's G-Man Honors Dinner
- 11.20.2024 — Seattle Teen Academy
- 11.20.2024 — Ahead of the Threat Podcast: Episode Three - Chris Cwalina
FBI Weekly Newsletter
Subscribe to our email newsletter for news on the FBI, sent out every week.