There are so many ways that crooks can carry out an email scam.
- Spoof an email account or website: Slight variations on legitimate addresses (firstname.lastname@example.org versus email@example.com ) can fool someone into thinking fake accounts are real.
- Send phishing emails: These messages look as if they are from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes.
- Use malware: Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices and let criminals gain undetected access to a victim’s data, including passwords and financial account information. Fraudsters use this information to time requests or send messages, so accountants or financial officers do not question payment requests.
Predators often hunt freely and undetected in the net for long periods of time—sometimes more than a year —until they can put the con into action based on the information they have collected. Their presence isn’t detected until it is too late.
Businesses should train employees to:
- Be careful about sharing information online, including on social media. That information can allow fraudsters to guess passwords or answer security questions.
- Avoid clicking on anything in an unsolicited email or text message asking to have account information updated or verified.
- Look up the actual phone number of the company associated with the incoming email or text message instead of relying on the information the potential scammer has provided, and then call the company directly at the phone number that was independently obtained to ask if the request in the email or text message is legitimate.
- Carefully examine the email address, URL, and spelling used in any correspondence.
- Be careful when downloading a file, not open an email attachment from a stranger, and be wary of email attachments that are forwarded by others.
- Set up two-factor (or multi-factor) authentication on all email accounts that allow it, and never disable it.
- Verify payment and purchase requests in person if possible or by calling the authorizing person at the company to make sure it is legitimate using a phone number that the caller has independently verified.
- Verify any change in account number or payment procedures with the person who appears to be making the request, in person or through a known telephone number.
- Be especially wary if the requestor is pressing for quick action.
Employees should be incentivized to report situations where they believe they may have accidentally unlocked the front gate to a scammer - give them full immunity.