Business Email Compromise (BEC)
BEC takes on different forms and may be very difficult to detect. The three main points of entry are:
Employee email compromise – uses an employee's personal email to request a change in their direct deposit information for payroll or other compensation.
Vendor email compromise – uses a fake email account to impersonate a vendor asking for a change in accounts payable payment information.
Executive impersonation – impersonates a company executive or trusted authoritative figure to request the origination of a payment or a change to the payment information.
The government agency, www.ic3.gov received almost 800,000 registered complaints in 2020 and expects that number to rise significantly in 2022. Of those complaints, over 19,000 were specific to BEC and generated over $1.8 billion dollars in losses.
A simple yet highly effective mitigant for BEC is to STOP-CALL-CONFIRM.
STOP – DO NOT process the request received via email
CALL – Call the sender using a legitimate phone number known to you. DO NOT reply to the email, and DO NOT call the number listed in the email
CONFIRM - Verify that the real vendor or employee did, in fact request the change