You may be familiar with the email fraud tactic called phishing. A phishing email is one that tries to scam the recipient into providing confidential information or clicking a link or downloading a file that compromises the victim’s computer.
But there is a more sophisticated form of email fraud that business owners and consumers should be aware of and protect against—email compromise.
What is Email Compromise?
In a typical email compromise, the victim receives an email that comes from a known, legitimate source—the company CEO, a trusted business partner, or a vendor/supplier. The email requests that a payment be made or funds be transferred to a new bank account to complete a business process.
The emails are much more sophisticated than phishing as these are from actual email accounts that have been taken over by the attackers. These compromised email accounts will not likely be caught by SPAM or other phishing filters as the accounts being used are legitimate.
- Business email compromise involves hacking an owner or high-level manager’s email to trick employees into making a last-minute payment or money transfer. These scams typically target employees in finance, payroll, or human resources who have access to the company’s finances and can make financial decisions.
- Email account compromise is similar to business email compromise, but it targets individuals—usually professionals associated with financial institutions, real estate companies, or law firms.
- Vendor Email Compromise targets vendors and suppliers that may have financial relationships with many businesses, allowing scammers to leverage that vendor-client relationship to attack multiple companies.
- Business Email Spoofing is when scammers create an email address that looks like it’s from a legitimate business, then send messages attempting to trick the recipient into providing passwords, bank account numbers, or send money.
Examples of these types of scams include:
- A vendor your company regularly deals with sends an invoice with an updated mailing address or bank account information.
- A company CEO asks her assistant to purchase dozens of gift cards to send out as employee rewards. She asks for the serial numbers so she can email them out right away.
- A homebuyer receives a message from his title company with instructions on how to wire his down payment.
- A company CEO emails their financial institution asking that a previously requested wire transfer be moved up and the recipient account changed.
Protecting Against Email Compromise
While email compromise attacks are more difficult to identify, there are steps individuals and businesses can take to avoid falling victim:
- Be skeptical of last-minute changes to wire transfer instructions or bank account information.
- Be wary of sudden changes in communication methods. For example, the CEO usually calls but is now only communicating via email.
- Verify any changes through the contact on file, preferably by phone or in person. Don’t contact the business or vendor using the phone number provided in the email.
- Watch for hyperlinks that may contain misspellings of the actual domain name.
- Verify the email address used to send emails, and make sure any URLs in the email are associated with the business.
- Limit the number of employees who may approve or send money transfers.
- Set up alerts and monitor changes to your company’s email systems.
- Provide regular training to employees on email compromise red flags.
- Use email authentication and keep your company’s IT security current.
If you think you or your business are the victim of fraud, report it to your financial institution and the Federal Trade Commission at ftc.gov/complaint.