Skip to main content

Identifying and Avoiding Business Email Compromise (BEC)

January 16, 2025

The number of phishing attacks that businesses experience is growing every year. As trusted professionals managing sensitive data, CPAs play a crucial role in safeguarding their firms against these cybersecurity threats. There are a few proactive measures you can take to prevent a successful phishing attack or minimize its effects. These include:

  • Teaching employees how to recognize a phishing attempt.
  • Not clicking on links that you are not expecting. Instead, hover over them to view the URL and confirm the website is where you want to go.
  • If a client or vendor asks to change billing type or information, verify the request first by using good known methods of contact.
  • Protect your passwords. Create strong passwords and keep them secret. Use multi-factor authentication when possible.

Following these steps can reduce the number and severity of cybersecurity incidents at your business.

What is BEC?

All businesses heavily rely on email communication to conduct daily functions, which puts them at risk of falling victim to business email compromise (BEC). BEC is a form of social engineering — when a cybercriminal gains access to a business email account and uses manipulative techniques to trick you into providing confidential information or sending money. Cybercriminals count on employees to trust that all email communications that look like they are from a vendor, co-workers, and customers are valid.

How BEC occurs

BEC occurs when a cybercriminal gains access to an email account or spoofs an email address to impersonate the sender. The cybercriminal sends an email to you as that person and asks for confidential information or for you to perform an action. If you do one of those things, you may be sending money to the cybercriminal or allowing them access to your information or computer.

How to recognize social engineering

Cybercriminals are getting better at creating seamless communications that look like they are from someone you know or a business you recognize. It can be helpful to keep the following in mind:

  • Look for spelling and grammar mistakes. 
  • Watch for unexpected links or attachments.
  • Be wary of urgency or threats.
  • Verify the sender’s email address.

How to protect your firm

Be cautious of communications you receive that ask you to take an action, especially the following:

  • Sending credit card or account information.
  • Changing of payment information including a vendor payee.
  • Resending payment because the original payment has failed.
  • Making an urgent and overdue payment.
  • Urging you to click a link to an unfamiliar site.

Before you do anything, verify the request with the sender by calling a phone number you know is legitimate or speaking with the requestor in person. Do not call any phone numbers listed in the email you received. Instead, look up a known number for the requestor’s company.

As a banking partner, INTRUST Bank is dedicated to the success of your firm — both through business banking products and information provided to help you keep your business safe.

This content was provided by an OSCPA partner, INTRUST Bank. Learn more about INTRUST Bank and how to protect yourself against cybercriminals at intrustbank.com.