Business email compromise schemes can be effective for scammers – and devastating for victims. Learn how to protect yourself.
Many of us take our business email protection for granted unless something out of the ordinary captures our attention.
That’s why a business email compromise (BEC) scheme can be so effective for scammers – and devastating for victims. You might be a victim and not realize it until it’s far too late.
While there are several variations of this online scam, it typically unfolds like this: You’re communicating with someone about professional services or goods that require a payment. A cybercriminal stealthily hacks into the third party’s email account and waits for the right moment to pounce. Perhaps the fraudster notices you’re communicating with an accountant about initiating a wire transfer of your funds.
The fraudster then pretends to be the accountant by sending what appear to be legitimate transfer instructions from their email account to you. When you don’t detect anything unusual about the correspondence, you simply follow the instructions and assume the wire transfer will be completed as requested.
Unfortunately, your funds will be intercepted by the cybercriminal instead. And you may not suspect anything until you eventually realize your wire transfer never made it to the intended recipient.
According to the FBI, BEC schemes continue to be the costliest: 19,369 complaints with an adjusted loss of approximately $1.8 billion.1 Fortunately, you can sharply reduce the risk of being deceived by a fraudulent email by taking these steps:
Make a call: When receiving instructions by email regarding a financial or other sensitive transaction, always call the company representative to ensure the instructions provided are legitimate. But, don’t trust the phone number provided in the email because it could be phony. Visit the company’s verified website or call using a verified number to ensure you’re speaking to the correct individual.
Be suspicious: Fraudsters are skilled at creating (or “spoofing”) authentic emails. So, only open email attachments sent from trusted senders, and always be leery about clicking on links contained in emails. If something seems even slightly odd to you, don’t proceed with any type of action requested in the email. Remember, your email account is a gateway into your computer and personal information.
Upgrade your security: Most email providers offer Multi-Factor Authentication (MFA), which gives you another layer of security when logging into your account.
With MFA, you’ll need to provide something other than your username and password (such as a one-time passcode or fingerprint) to access your email, which makes it more difficult for cybercriminals to hack into your account. Make sure to use a unique, lengthy password for each email account instead of reusing your passwords across your accounts.
If you’re a victim of a BEC-initiated wire transfer scam, it’s essential to act quickly because your money might be available to the cyberthief on the same day of the wire transfer.
So, contact your Morgan Stanley Financial Advisor immediately. You should also consider reporting the theft to your local law enforcement and the Internet Crime Complaint Center (IC3).
If your email account has been compromised, you should:
- Contact your email provider to regain control of your account. Make sure to update any security verification questions.
- Use a reputable antivirus product to eradicate any malicious software or “malware” (such as keystroke loggers) from your devices.
- Ensure you’re running the latest versions of your browser, operating system and software on your devices.
- Change your email password to something lengthy and unique from a malware-free device. Consider using a password manager to create and securely store your passwords.
- Set up MFA for your email account.
Being a victim of a BEC scam could also lead to identity theft. Visit the Federal Trade Commission (FTC) site or call 1-877-IDTHEFT (438-4338) to learn more about protecting yourself in the event that you feel your identity may have been compromised.
The Morgan Stanley Online Security Center also contains helpful information about this matter.