Email Fraud: A Survival Guide

Here are a few ways to spot the telltale signs of a fraudulent email, and what to do if you’ve been the victim of a scam.

In today’s technology-driven world, email is key to conducting business successfully. That means it’s important to be wary of business email compromise (BEC). While you may think your business isn’t a target, email fraud criminals have targeted businesses of all kinds and sizes—from school systems to large-scale corporations.

“It is absolutely imperative that businesses become more educated around threats that can come via simple email,” says Jeff Taylor, Head of Commercial Fraud Forensics at Regions Bank. There are two common ways that business email can be compromised.

Email-borne Malware

Malware (malicious software) encompasses any number of codes written to “hack” into your business’s computers or network. Think of the process like a Trojan horse, says Taylor. Email fraud hackers use a seemingly harmless email to introduce software into your computer via a link or an attachment. Once it’s in, the malware can spread to other computers on your business’s network or to your servers.

The specific type of software depends on what the email fraud hackers are trying to accomplish. For example, they may introduce a program that records every key you press. These keystroke loggers can capture banking transactions or record all of your usernames and passwords.

Fake Vendor Email

Email fraud hackers can also attack your company by infiltrating or posing as a company with which you do business. Once they have access to one of your vendor’s systems, they may hack the vendor’s email accounts or create accounts that look like your vendor’s. From there, they might send you a seemingly official email, such as a “vendor change of terms.” These emails often ask that you send your regular wire payment to a new bank account and routing number.

If You’ve Been Attacked

If you think you’ve been victimized, contact law enforcement and your bank immediately. File a report with your local police about the email fraud, but know that cybercrimes are often the jurisdiction of the FBI. You can submit claims online to the Internet Crime Complaint Center at

“Document everything that happened,” says Taylor. “It will help you avoid the same attack again.”

Proper preparation using cybersecurity processes and education is the best way to prevent these attacks.