Business Email Compromise Scams

Does your business use email communications for financial transactions? If so, then simple awareness of a sophisticated cyber-enabled fraud scam called Business Email Compromise (BEC) may help prevent your business from becoming victimized. It’s happening daily, involving seemingly harmless, routine email requests.

What is Business Email Compromise?

The scam is carried out when someone compromises or forges an email header so that the message appears to have originated from someone/somewhere other than the legitimate business email accounts. Then, this person uses those compromised or fraudulent email accounts to trick victims into conducting a transfer of funds. These fund transfers are most routinely requested to be completed via wire transfer or ACH, but may also involve checks and/or the purchase of gift cards.

Typical scenarios utilized in this fraud scheme include:

• A email appearing to come from the CEO requests an immediate wire transfer to pay an invoice (that ultimately is fraudulent); a request that is an uncommon practice for the CEO.
• A business that has a longstanding relationship with a supplier is asked to send funds for invoice payment to an alternate, fraudulent account.
• A supplier/vendor receives an email – that they believe is from you – asking for payment to an alternate, fraudulent account.
• A victim is contacted by a fraudster who impersonates a lawyer. The fraudster claims to be handling a confidential and time-sensitive matter and requests a transfer of funds.
• A fraudulent request is sent via a business executive’s compromised email account to people/entities in the business organization responsible for W-2s or maintaining personal information (e.g., HR). The fraudster requests employee W-2 information, which is subsequently used to commit income tax refund fraud.
• A victim receives a request from their management to purchase gift cards for a work-related function or as a present for a special occasion, using their corporate or personal credit card, for example. The gift cards are then forwarded to the fraudster per instructions, sometimes this is done by simply sending a reply email to the "manager" with the gift card numbers as well as the scratched off authorization codes from the back of the cards.

How to protect yourself from becoming a victim?

1. Always be suspicious of pressure to act quickly.
2. Establish and utilize verification standard practices. Within your company and with your business partners follow established processes – such as telephone calls – to verify significant transactions or to confirm changes to established payment beneficiary information (e.g., name, address, account number).
3. Do not use the “Reply” option to respond to any business emails. Instead, use the “Forward” option. Then, type in the correct email address, or select it from the email address book to ensure the intended recipient’s correct email address is used. This will ensure if the original email address was spoofed, that the reply message will go to the legitimate person. The legitimate person can then alert you that the original email was not sent from them.
4. For businesses, create inbox rules that flag emails with extensions that are similar to the company email domain. For example, a detection system for legitimate email of abc-company.com would flag fraudulent email from abc_company.com.
5. For businesses, register all domain names like your own actual company domain. For example, “abc-company.com” would also be registered to the legitimate company “abccompany.com.”
6. Beware of sudden changes in customer activity or authorizations. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been via company email, the request could be fraudulent.
7.  Be careful about what is posted to social media and company websites. For example, determine if it’s necessary to disclose job duties/ descriptions, hierarchal information, out-of-office details, direct phone numbers and email addresses. This will make it more difficult for your employees to be targeted through social engineering techniques or phishing campaigns.

What to do if you become a victim

• Notify us immediately if you discover any unauthorized or unusual activity involving your Comerica accounts.
  • Treasury Management customers: Contact Treasury Management Relationship Services at 888.341.6490
  • All others: Contact your Comerica relationship manager or the nearest Comerica banking center.
• If you are suspicious of an email you receive, you may forward it to us for review at the following mailbox ReportFraud@Comerica.com.

Helpful Resources

• Review Comerica’s information on Security Awareness for Business.
• Schedule a meeting with key financial personnel at your business to ensure they are complying with the best practices.
• Review tips as detailed in the FBI’s latest Public Service Announcement on Business Email Compromise: The $50 Billion Scam (ic3.gov)

Comerica Treasury Management customers may contact their Treasury Management representative or Treasury Management Relationship Services at 888.341.6490

These suggestions are for informational purposes only. These suggestions are not intended, nor should they be used as an exclusive list of potential solutions aimed at the detection and prevention of cyber-crime and related fraud risks. Comerica is not an information technology expert and is not offering specific information technology or other computer systems advice. Accordingly, you and your company should consult your own computer systems or information technology expert(s) to adequately address any and all issues relating to cyber-crime detection and prevention including, without limitation, any potential computer or systems infection.