The Better Business Bureau Foundation and its partners recently presented a free program to local companies about how to protect themselves from business email compromise (BEC). The event was held in Omaha at Blue Cross and Blue Shield of Nebraska.

What is BEC?

According to the FBI, BEC is a sophisticated scam targeting businesses that focuses on payment fraud. The scam is carried out by stealing legitimate business e-mail accounts through social engineering.

According to the FBI Omaha Cyber Task Force, many BEC scams are coming from Nigeria and are becoming more sophisticated. There are many types of BEC. One example, called vendor fraud or “man-in-the-email” works like this: “Alex”, an email fraudster, sends a phishing email to Cindy and tricks her into giving up her email login and password. Cindy then goes about her business and sends Jerry at ABC Co. an invoice. Since Alex now has control of Cindy’s account, he can see that Cindy sent Jerry an invoice, so Alex sends Jerry an email that looks like it’s from Cindy and asks for payment of the invoice to be wired to a fraudulent location. Jerry wires the payment to that location, and Alex collects the money.

What is the impact?

The FBI reports that between October 2013 and May 2018 there have been more than 78,000 incidents around the world, with more than $12.5 billion in losses. These numbers include 41,058 victims with more than $2.9 billion in losses in the United States.

How do scammers find their targets?

Scammers use websites like Linkedin, Intelius and Google to find victims. Eric Rodriguez, a presenter at the program and president of the Association of Certified Fraud Examiners (ACFE) Heartland Chapter, added that scammers also purchase email account credentials from the dark web, a place on the internet where people can buy stolen information like Social Security numbers and log-in credentials, as well as other illegal items.

What to do if you’re a victim

Rodriguez said BEC can happen to anyone in any size business. If you’re a victim of BEC, you should report the incident to the FBI’s Internet Crime Complaint Center (IC3). If money was sent, contact your bank and the FBI immediately. You should also contact your internet service provider, the credit bureaus and your credit card company.

How to prevent BEC

All this information may sound like a lot of doom and gloom, but there have been successful prosecutions, including as recently as Feb. 8 and March 25 in Nebraska. There are things you can do to prevent BEC:

  • Use multi-factor authentication
  • Educate and train your employees
  • Implement policies and procedures for verifying significant financial transactions
  • Add banner warnings to external emails
  • Configure SPF, DKIM and DMARC

Visit these sites for more information: