Six steps you can take to protect yourself from BEC scams

Business email compromise (BEC) is a form of email phishing that uses the trust of people and companies we do business with to steal money.

In a BEC scam, criminals send an email message that appears to come from someone you know who is making a seemingly legitimate request, such as:

  • A vendor that your organization collaborates with has sent an invoice along with updated mailing address or electronic transfer information. They have requested to update the information in the accounting systems .A company CEO asking their assistant to purchase gift cards to send out as employee rewards and asking for the pin codes so she can email them immediately.
  • A person buying a home receives a message from their title company with instructions on how to wire their down payment for the new house. However, these instructions differ from the ones provided earlier by the same title company.

The payroll clerk received an email from an employee requesting a change in their direct deposit information. These scams are not just myths, they are real and have caused many victims to lose substantial amounts of money to criminal perpetrators. The FBI reports that Business Email Compromise (BEC) scams are becoming more prevalent across the country.

Here are things you can do to protect yourself and the State:

1. Spoofed email or website: Look for slight variations on legitimate addresses, such as an email address or company name with added or missing punctuation or letters (john.doe@example.com vs. johndoe@exampl.com). It's easy to miss small changes when you're in a hurry.

2. Spear phishing emails: These are targeted emails, generally to those in authority, crafted to look like they're from someone you know in an effort to trick you into revealing confidential information that lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes. Make sure to contact the sender directly to confirm the unusual request. Do not respond via email or any phone number provided in the email.

3. Social media: Be careful what information you share online. By openly sharing information such as pet names, schools you attended, links to family members, and your birthday, you can give criminals important information they can use to craft emails or attempt access to your personal accounts.

4. Email attachments: Be careful what you download. Never open an email attachment from someone you don't know. Even if you recognize the sender, contact them directly to confirm authenticity if the email is unexpected.

5. MFA: Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.

6. Urgency is a red flag: Be cautious when someone urges you to act quickly, this could be a warning sign.