Over the past two years, business email compromise (BEC) attacks have increased by 175%. A BEC attack happens when a scammer or cyber criminal sends an email message appearing to come from either a vendor or an employee at your organization. The recipient falls victim to the scam because the email message seems like a legitimate request during the normal course of business. For example, BEC attacks may include processing an updated invoice with a different mailing address or payment instructions or a member of management requesting and authorizing a large purchase or transaction.
In 2022, the FBI received 21,832 BEC complaints with losses totaling more than $2.7 billion. We recommend financial institutions utilize the BEC resources made available by the FBI to help mitigate and respond to BEC attacks.
Employees can also help prevent successful BEC attacks by following email security best practices, including:
- Verifying the ‘From’ address field to ensure the email sender has not been spoofed or is an individual that you normally communicate with.
- Responding only to email messages and requests that were expected and anticipated.
- Validating requests for changes to payment information or addresses by contacting the individual or vendor using contact information saved on file, not contact information within the email message.
- Reporting all suspicious emails to management or the IT help desk.
BTG can help ensure employees are trained and aware of BEC attacks and other email security risks. Financial institutions engage with BTG for managed information security and cybersecurity services including Social Engineering Testing and Enterprise-Wide Information Security & Cybersecurity Awareness Training.
Contact Elisabeth N. Esposito at firstname.lastname@example.org for more information and for additional resources related to mitigating BEC attacks.