Wiring money internationally to clients, suppliers, and/or consultants may be a risky task for some businesses. The Financial Crimes Enforcement Network (“FinCEN”) reported recently that, despite its efforts, business email compromise (“BEC”) from internet criminals and hackers has continued to climb over recent years (here). Since 2016 FinCEN has received over 32,000 reports of attempted BEC threatening over $9 billion in personal and business assets. Given the potential danger for BEC at your company, here are some suggestions to try to minimize risks when you are contacted by someone trying to obtain information from you (“impersonator”).

In general, BEC may appear as a three-step process. First, the impersonator unlawfully hacks or gains access to an email account and reads past emails to obtain financial information from the victim company. Second, the impersonator will use this information to send fraudulent bank transfer instructions to the victim’s banking personnel. For this step, the impersonator typically either uses the victim’s email account directly or creates another email address that is nearly identical to the victim’s (e.g. using ceo@law.co  when the real CEO’s email address is ceo@law.com ). Finally, when an employee or bank staff member executes the money transfer as instructed by the impersonator/hacker, the scheme is complete and, if undetected, may be used again in the future. According to FinCEN’s reports, exercise caution when wiring money to banks in Asia (especially China or Hong Kong), as these are common destinations for questionable (up to fraudulent) transfers.

Sectors most commonly targeted by BEC are manufacturing and construction, commercial services, and real estate. In most cases, C-Suite and other high-level managers are most at risk of having their email compromised or being impersonated, while accounting or finance staff are most at risk to receive communication from an impersonator/hackers.

In addition to alerting your staff, here are some other steps you can take to get ahead of BEC:

• Blacklist commonly used passwords. Contrary to common belief, the National Institute of Standards and Technology finds that this is more effective than password composition or expiration policies (check here for more information);
• Be wary of writing about company or financial information in emails, on your company’s website, or on any other webpage that may not be secure;
• Consider two-step verification processes to confirm wire transfers or changes to vendor payment location directly via phone;
• Create or purchase computer intrusion software that flags potentially fraudulent emails;
• Purchase and maintain all internet domains that are similar to but slightly different than your company’s domain; and
• Make your employees aware of BEC and train them to scrutinize wire transfer requests.