Business Insights

Responding to business email compromise

Business email compromise is on the rise. Find out how to protect your business.

The reliance on email in the business world today creates a troubling access point for criminals. Say you get an email that appears to come from a regular vendor but with an unfamiliar contact. They said they are filling in for your regular contact who had a family matter come up and want to set up payment to a new account since they don’t have access to the one normally used.

In the countless streams of emails bouncing around our inboxes today, it only takes one slip-up for your company to be a victim of an email fraud called business email compromise (BEC).

The BEC basics

For those targeted, business email compromise can be incredibly damaging. In 2024, the FBI's Internet Crime Complaint Center (IC3) reported 21,442 complaints of Business Email Compromise (BEC). These incidents resulted in $2.77 billion in losses, making BEC the second most costly cybercrime category.

In many cases, the only resources required to perpetrate a BEC scam is information and an email account. In the fraudulent vendor example, the scammer only needed to know the vendor’s name and email and the name of the person they communicated with at the business.

Reporting a BEC scam

If you or your business is a victim of business email compromise or another type of email scam, there are a number of steps you should take. To start, document everything you can related to the fraud — emails, receipts, etc. — and keep it on hand to complete scam reports.

From there, contact your financial institution immediately. If the BEC scam ended with a fraudulent wire transfer, request that your financial institution contact the bank or institution that received the transfer and request a recall or reversal. Then, contact your local police department if you lost money or other possessions from the scam and report the scam to your state’s consumer protection office.

You can also report scams to several federal agencies to help them track patterns in scams. The Federal Trade Commission (FTC) has a complaint assistant that accepts reports on multiple common scams. If you believe the BEC scam came from outside of the U.S., you can report international scams to econsumer.gov.

Further, you can report online scams, including BEC, to the IC3. The IC3 has established the Recovery Asset Team (RAT) to work with law enforcement and financial institutions to help fraud victims potentially recover funds. Even if you report the event promptly, there is no guarantee that the funds are recoverable.

Remember, if sensitive personal information is compromised by BEC fraud, you may want to prepare to report identity theft.

Protecting your business from BEC

It doesn’t seem likely that the business world will move away from email communication anytime soon, so it’s important to have strong processes and training in place to protect your business from fraud.

For starters, create strong passwords, protect your personal login credentials, place dual controls on financial transfers, and verify all payments or purchases — if not in-person, then at least voice-to-voice over a call.

To create strong passwords:

• Make them long and memorable.
• Don’t use personally identifiable information.

Make sure they can’t be easily guessed. Don’t click on any links or images in unsolicited emails or texts, particularly if they ask you to follow a link to verify account or order information. Commonly, scammers will try to mimic the email address of a legitimate member of the business or another organization, so carefully examine the address the email is coming from.

If the message is claiming to come from the government or another business, don’t use any contact information from the message, and look up the organization separately. If the sender claims to be from a government agency, you can check the agency against this index of government organizations.

BEC scams are built on information, and information on social media sites like the name of a pet or the schools someone attended may be enough for a scammer to impersonate an individual over email or even breach their security questions or passwords. Ultimately, be careful what information about you, your business, and your employees is available online — and make sure your team is aware of potential red flags.

Find more ways to protect your business against another type of scam, payment fraud by visiting Regions.com/fraudprevention.