Security

Business Email Compromise (BEC) Scams

Business Email Compromise (BEC) fraud is a type of cyber scam which targets businesses that regularly conduct wire transfers and ACH transfers, and is one of the most financially damaging online crimes.

A scammer might

  • Spoof an email account or website. Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com) fool victims into thinking fake accounts are authentic.
  • Send spearphishing emails. These messages look like they’re from a trusted sender to trick victims into revealing confidential information. That information lets criminals access company accounts, calendars, and data that gives them the details they need to carry out the BEC schemes (CEO Fraud, Employee Account Compromise, Man-In-The-Email Scam, Bogus Invoice Scheme).
  • Use malware. Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. That information is used to time requests or send messages, so accountants or financial officers don’t question payment requests. Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information. Criminals then use the victim’s stolen information to e-mail fraudulent wire transfer instructions to the financial institution in a manner appearing to be from the victim. To this end, criminals will use either the victim’s actual e-mail account they now control or create a fake e-mail account resembling the victim’s e-mail.
  • Trick the victim’s employee or financial institution into conducting wire transfers that appear legitimate but are, in fact, unauthorized. The fraudulent transaction instructions direct the wire transfers to the criminals’ domestic or foreign bank accounts. Banks in Asia—particularly in China and Hong Kong—are common destinations for these fraudulent transactions.
  • Directly submit fraudulent transaction instructions to the company’s financial institution by impersonating company employees through e-mails and documentation related to the requested transfer.
  • Mislead a company employee into submitting fraudulent transaction instructions to the company’s financial institution by impersonating a supplier or a company executive to authorize or order payment through seemingly legitimate internal e-mails.

What to look for

  • E-mailed transaction instructions direct payment to a known beneficiary; however, the beneficiary’s account information is different from what was previously used.
  • E-mailed transaction instructions include markings, assertions, or language designating the transaction request as “Urgent,” “Secret,” or “Confidential” or unusual rationale for urgency such as “tax avoidance,” “jurisdictional regulations,” etc.
  • Emails and phone calls to employees with requests for their account username and/or password
  • An email address that has slight variations from the legitimate address (e.g., john@c0mpany.com instead of john@company.com).
  • Unusual requests from a supplier to make a wire transfer (e.g., requests to bypass normal payment procedures or to only communicate by email).
  • Check and double-check the owner of the email address. You can easily do this by clicking on the email address in the email header to identify the sender (e.g., the sender looks like john.doe@company.com, however when you click on the email it looks like 123abc@fakee-mail.com).

What you can do

  • Is your vendor or their point-of-contact new? If new, how did they learn about your business?
  • If instructions are received by email or text, call the vendor directly on a known number and confirm the change. Do not use any new phone numbers given in the email or text communication.
  • Did the vendor express urgency in request or provide only a specific window of availability for contact? 

Educate yourself and your employees on this kind of scam, as no business is immune. Fraudsters consider themselves opportunists and will not hesitate to exploit a weakness when found. 

How to report

If you or your business fall victim to a BEC scam, it’s important to act quickly:

  • If you discover you are the victim of a fraud incident, immediately contact your financial institution to request a recall of funds.
  • Next, contact your local FBI field office to report the crime.
  • Regardless of the amount lost, file a complaint with www.ic3.gov or, for BEC/EAC victims, BEC.ic3.gov, as soon as possible.

Stay informed and stay safe! Scammers keep evolving their tactics, so it’s important to stay up-to-date on the latest scams in order to protect yourself and your loved ones.

Fraud Prevention Solutions

Your security is our top priority. That’s why Dime offers fraud prevention solutions that can help you identify, report, and prevent fraud.

Check
Positive Pay

Check-based fraud prevention by matches checks presented for payment against a list of checks issued by your business.

Learn More

ACH
Positive Pay

Prevent fraud related to ACH transactions by using our system, which enables your business to monitor and manage such transactions. You can use filters and blocks to ensure that all ACH transactions posted in your account are legitimate.

Learn More

Debit Card
Security

Protection from identity theft and unauthorized spend.

• ID theft protection*

• Zero liability protection**

• Fraud monitoring text alerts

Learn More

Savvy
Money

The first step toward improving your credit is understanding your credit. That’s why Dime online banking includes Savvy Money. A service that helps users access their rating, learn the factors most impacting it, and how to improve it.

Learn More

Additional Resources

Keeping You Secure

  • Online Security
  • Passwords
  • PC Security
  • SSL Certificate & 128-bit Encryption
  • Mobile Security
  • Business Integrity Hotline

Helping You Avoid Fraud

  • Reporting Fraudulent or Suspicious Activity
  • Monitoring and Detecting Fraudulent or Suspicious Activity
  • How To Protect Yourself Against Identity Theft
  • How To Avoid Phishing Schemes
  • How To Avoid Website Spoofing
  • How To Avoid Social Engineering Attacks

Online Resources To Assist You

* Terms, conditions, limitations and in some cases enrollments are applicable – please see the Mastercard Guide to Benefits for Debit Cardholders.

** You’re not responsible for unauthorized transactions that you promptly report to us if you have taken ordinary care of your card and PIN.