How to Avoid Business Email Compromise

First Republic Bank
November 21, 2022

  • The FBI reported over $43 billion in losses due to business email compromise (BEC) and email account compromise (EAC) between June 2016 and December 2021.
  • Defending your organization against BEC/EAC is more relevant than ever in today's fast-changing work environment.
  • The following strategies can help you and your company stay safe.

With the typical homebuyer paying 20% of the purchase price via wire transfer, property transactions have become a lucrative way for fraudsters to engage in BEC. In these sophisticated schemes, criminals compromise and use email accounts to trick unsuspecting victims into transferring funds or providing personally identifiable information, such as Social Security and bank account numbers.

Often, the fraudster will infiltrate a real estate company’s email system and send an email to the client with new wire instructions. Thinking they are coming from the agent, the client follows the new instructions, and the funds are sent to a fraudulent account. Usually, the funds are immediately depleted or sent to another account, making recovery difficult.

In May 2022, the FBI reported that there was an 65% increase in identified exposed global losses between July 2019 and December 2021, and over $43 billion in losses to BEC/EAC, between June 2016 and December 2021. This number was derived from reports to the FBI, law enforcement and filings with financial institutions. The scam has been reported in all 50 states and in 177 countries. No one is immune — victims also include small and medium sized companies.

The ongoing battle

Modern BEC scams are more sophisticated than the traditional get-rich-quick email scams we’re all familiar with. After criminals gain access to an email account, they’ll often wait patiently for an email that identifies a financial deal, such as an escrow payment, and attempt to reroute the money.

The amount of valuable information in emails that criminals can exploit can be surprising. Details about business partner relationships, ongoing wire transactions, future purchases, third-party invoices or business acquisitions can provide a gold mine of information for criminals to exploit.

Over the past few years, the tactics and social engineering elements of BEC attacks have become increasingly advanced. A criminal will fabricate a long email thread between a title company and an agent that is designed to look as if they have conversed for weeks on the matter. Because these crafty and meticulous schemes look authentic, they can fool even the most discerning people.

Watch for attempts to pressure you

BEC fraudsters often try to trick people into acting quickly. A message from a fraudster posing as a title company may tell a buyer that they need a wire transfer done immediately to ensure the transaction goes through. In another scenario, a criminal pretending to be a company lawyer handling a time-sensitive issue will send an email at the end of the workday or week, putting even more pressure on the recipient to act hastily. These schemes often tend to occur at the end of the day or on a Friday before a long weekend.

Organizations with a concrete hierarchy are often more susceptible to fraud, since criminals count on the degrees of separation to cause junior employees to carry out email orders from higher-ups without verbal validation. In flat organizations, employees are more likely to go around the corner or pick up the phone to validate information or requests.

Protect yourself against BEC scams

With the rapid increase and potentially devastating consequences of BEC, companies and individuals should take steps to ward off such schemes.

Provide clear client instructions

Give your clients a printed copy of wiring instructions. Let them know that you will never send changes to wiring instructions via email, but will call instead. Consider putting a note in your email signature that reminds clients to be aware of wire fraud and reach out with questions.

Institute an internal security training program

Having a comprehensive anti-phishing training program can address the weakest link in the chain — making sure employees are not easily fooled. You can have a million security controls, but they can be circumvented by just one person being tricked.

Choose the right vendors

It’s important to select email vendors that provide services to block malware and email imposters prior to delivery.

Tighten access to email accounts

An effective way to deter BEC is to use two-factor authentication (sometimes called multi-factor authentication) to protect your email account. In general, there are three ways to authenticate an account: something you know (for example, a password), something you are (for example, a retina scan or thumbprint), or something you have (for example, a hard token). If you use more than one of these authentications, thieves will have a much harder time gaining control of your account.

Practice good online habits

Certain common sense practices can help keep you safe. Avoid using public Wi-Fi and never open an email attachment from someone you don’t know, even if it looks like a legitimate business transaction.

Verbally verify payment instructions

By requiring mandatory verbal confirmation for payment instructions (especially for new payees) or administrative changes to things like phone numbers and email addresses, you can dramatically decrease the chance of becoming a victim of BEC.

Restrict approval rights

The number of people authorized to approve wire transfers and money movements should be limited to only those who are absolutely necessary.

If you do get caught by a BEC scam, it’s critical to take fast action. Immediately contact your financial institution and request that the funds be recalled. Next, report the incident to your local FBI office, which may be able to assist in the recovery efforts.

Here's how First Republic can help

At First Republic, we consider our clients’ safety and security to be of the utmost importance. We offer our clients tools to help keep their accounts safe. We can conduct on-site security awareness sessions to help organizations learn how to avoid the latest BEC tactics.


This information is governed by our  Terms and Conditions of Use