Theft Through Email

It used to be that businesses worried about bad checks. Policies and procedures were put in place to minimize this problem, such as checking ID, collecting contact information if not present on the check, disallowing pre- or post-dated checks, calling the bank to verify, charging for bounced checks, and waiting for checks to clear before delivering goods.

Today, thanks to the internet, businesses also have to worry about theft through email. Sounds silly? It isn’t. It’s a $12B scam according to the FBI’s Internet Crime Complaint Center (IC3). IC3 recently released a new PSA on Business Email Compromise (BEC) based on data from October 2018 to May 2018.


Here are some examples of BEC.

Pay an invoice

An Accounts Payable employee receives an email request from the owner of the company to pay the attached invoice immediately. He complies, of course, because the request came from the boss! Except, it didn’t really come from the boss. It came from someone impersonating the boss’s email address. Upon closer inspection, the email wasn’t from the boss and the “invoice” actually routed the payment to a scammer!

Buying a house

Sue is buying a house and the instructions for wiring payment just arrived in her email. Shortly thereafter, updated wiring instructions arrive. Sue uses the new information to wire her money to close on her house. Unfortunately, the second email was a fake. It wasn’t her closing agent. A scammer had gained access to the closing agent’s email and used it send a falsified set of wiring instructions, which directed the money to a scammer’s account.

Business Email Compromise, also known as Email Account Compromise (EAC), especially in real estate, has been on the rise. According to the IC3 PSA, between 2015 and 2017 the industry saw an 1100% rise in reported BEC/EAC victims.

In some cases, like our first scenario, the scammer is able to use an email from an outside copycat email address to trick an unsuspecting person into making a payment. Other times, the scammer is lurking in someone’s inbox after stealing the password and seizing on an opportunity, as in the real estate transaction scenario.

What do you do?

Just like dealing with bad checks, use procedures to VERIFY any message (email, text, or other inbox) that requests money change hands. Don’t use contact details in the message—that could be fraudulent, too.

When dealing with an urgent email request for payment or purchases, verify with the sender using a known contact method (text their cell phone, call their desk, walk over and ask). Similarly, if you receive wiring instructions for closing on a real estate transaction, call the closing agent and confirm the instructions. Also, any requests to update a vendor’s bank account routing information should be independently validated before taking action.

VERIFY before you supply!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s