Companies small and large conduct business via email every day. According to the FBI, business email compromise (BEC), aka email account compromise (EAC), is one of the most financially damaging online crimes—with 80% of business bank accounts having received at least one BEC email attack. Pacific Premier Bank considers the security of our clients’ financial well-being a top priority.

What is BEC fraud?

BEC is an email scam that targets businesses, organizations, and individuals to trick them into making wire transfers or divulging other confidential information. BEC fraud has been on the rise, especially with companies choosing hybrid or remote work options.

Typically, a scammer spoofs a person or organization using slight variations of the sender's email address or the business’s website. They may ask for a fake invoice to be paid or use a spoofing tool to direct emails to accounts they control.

Examples of Common BEC Scams

• Vendor Payments – Scammers impersonate a business’s vendor by sending a phony invoice for services or supplies but with new or updated payment instructions to divert payment to the scammer's account.
• Impersonation – Often impersonating the CEO, a scammer sends a realistic-looking email asking someone with authorization to send an urgent wire transfer, hoping the employee doesn’t verify the request before sending the wire transfer.
• Mail Auto Forwarding – A scammer sets up an auto forward rule to forward emails to their own email address.
• Spear Phishing Emails – A scammer sends bogus emails that look like they’re from a trusted sender to trick victims into divulging sensitive information.
• Malware – A scammer may send an email with a link or attachment containing malicious software, which can be used to infiltrate the company’s network and give the scammer access to confidential information like users’ password and financial information.

DOs and DON'Ts to Avoid BEC Scams

• DO train your employees, clients, and vendors to scrutinize the authenticity of every request and look for warning signs such as the urgency of the request, different domains, spelling errors, incorrect context/templates, or even secrecy requested by the sender.
• DO verify requests using a method other than email. One consideration is to use phone verification (speaking directly with the requestor/company using previously known contact information, rather than information from the email) to confirm requests.
• DO use email encryption to help protect confidential information.
• DO maintain a secure list of vendors with their validated contact and current bank information. If an email is received updating banking information, contact the vendor from your list to verbally confirm the new banking information prior to making changes.
• DON’T reply to emails, click on links, or download attachments from people you don’t know.
• DON’T let your email servers remain unsecure. Regularly update antivirus software and set up intrusion detection protocols to flag emails with email extensions that are similar to company email addresses.

If you suspect your accounts have been compromised due to fraud, please contact Client Services immediately at 855.343.4070, Monday - Friday, 7:00 a.m. - 6:00 p.m. PT, and Saturday, 9:00 a.m. - 1:00 p.m. PT.

For more tools and tips, visit Pacific Premier Bank’s Cybersecurity Center.

The information expressed is being provided for informational and educational purposes only. It is not intended to provide specific advice or recommendations for any individual or business. Pacific Premier Bank does not provide tax, legal, or accounting advice, and the information contained herein should not be construed as such. You should carefully consider your needs and objectives before making any decisions. For specific guidance on how this information should be applied to your situation or business, you should consult your own tax, legal, and accounting advisors before applying any recommendation.

Pacific Premier Bank will not text, email, or call you asking for your online banking password or one-time security code. Make sure you verify the person who has contacted you before acting on any request.