Business email compromise, or BEC, is one of the most effective cyber crimes, and it can be very difficult to detect.

[Visual of a woman at work puts on her glasses and opens laptop to check her email]

Scammers may use a number of tactics, including phishing emails, social engineering or hacking, to trick employees into downloading malware or revealing company or financial information.

[Visual of a group of employees in a glassed-in office discuss some of the ways criminals might use BEC to target their business or individual accounts.]

Many BEC attempts target accounts payable employees, or decision-makers who have authority to access financial details and approve transactions. But make no mistake: Every employee must remain vigilant and aware of evolving BEC threats.

[Visual of an accounts payable employee is confirming the details of an emailed request of change in payment processes by calling the vendor directly while he reviews the email.]

In some cases, criminals will first compromise a third-party email account, such as a vendor’s, or the email of an employee who doesn’t handle financial information.

[Visual of an employee working from home reviews his company protocols for protecting his work email account.]

Then they can execute BEC crimes by using the third-party email address to target other employees’ accounts or access company networks.

Also bear in mind that any company, of any size, can be a target.

[Visual of a new member of a small company is congratulated improving cyber security protocols.]

That’s why every company needs to create and share email best practices with every employee. These practices are particularly important when it comes to any email that includes account changes, payment instructions or sensitive company information.

[Visual of ‘Best practices for every employee’ with paper airplane, representing an email, entering a building. Email opens and connects headshots of several employees, with lines of communication and dollar signs in between.]

These are 6 best practices to follow:

First: Always stay alert.

Criminals still count on human error and lack of oversight to help them pull off many scams. Even if the sender’s address, request and tone seem normal, don’t assume the email is legitimate. Take time to verify the sender’s identity through another channel.

[Visual: ‘1. Always stay alert’ appears above an email, represented by an envelope, being reviewed and found legitimate, with a green check appearing on the top right of the envelope.]

Number 2: Establish protocols
If you work with vendors, establish protocols with them that govern how you’ll accept and validate changes in payment instructions. Look carefully at vendor contracts, and make sure these protocols are outlined in them, along with steps you might take to handle non-compliant requests.

[Visual: ‘2. Establish protocols’ appears above a vendor communication and contract that are reviewed under a magnifying glass, which represents a protocol for vetting email requests.]

Number 3: Validate email requests
Don’t respond to emails that contain instructions for changes in payment processes. Instead, follow established protocols for responding to these types of requests.

[Visual: ‘3. Validate email requests’ appears above an envelope that contains a letter with a dollar sign, which is then sealed and covered in green check marks that demonstrate the request has been verified as legitimate.]

Number 4: Create secure processes. Employees should be able to slow down payment approvals without undue pressure. Implement dual approval payment processes and set up alerts for payments above certain thresholds.

[Visual: ‘4. Create secure processes’ appears above a laptop, on which the numbers of an account appear onscreen. Laptop is replaced by a cell phone with biometric (thumbprint) that represents a dual alert payment process.]

Number 5: Use available tools.
Domain-based messaging, authentication, reporting and conformance, or DMARC, is a protocol that helps authenticate the origin of your emails, and helps you track any use of your company’s email domain. This can help prevent BEC, especially by criminals who try to spoof your company’s identity to trick others.

[Visual: ‘5: Use available tools’ appears above graphic sequence, in which an email ‘airplane’ leaves a building and passes through a screen, which represents an email verification system for outgoing mail. ‘5: Use available tools, such as DMARC’ then expands to show a screen on the other side of the building, representing an email verification system for incoming mail.]

DMARC can also be utilized on inbound emails to help prevent domain-spoofed emails from reaching your employees.

In addition to DMARC, a tool called Brand Indicators for Messaging Information, or BIMI, can help your email recipients trust that communications from your company are legitimate.

BIMI does this by populating inboxes with a verified, trademarked brand logo. This can provide your customers and partners with a visual cue that indicates the email has been properly authenticated.

[Visual: ‘5: Use available tools, such as BIMI’ Airplane representing an email lands in and unfolds in a square box, and reveals a brand logo that is recognized and given a green check mark, representing another email validation check.]

And finally, Number 6:

Create a cyber-aware culture at work.

[Visual: ‘6. Create a cyber-aware culture’ appears above a badge with a building at its center, which represents a company. The badge is connected to many head icons to represent a company culture based on cyber security awareness.]

Encourage all employees to practice cyber hygiene and use all opportunities to reinforce the idea that your company’s security is everyone’s responsibility.

[Visual: B-roll of employees in a meeting discussing reports and collaborating about best practices.]

[Visual: Bank of America logo]

Better Money Habits®

The material provided on this video is for informational use only and is not intended for financial or investment advice. Bank of America Corporation and/or its affiliates assume no liability for any loss or damages resulting from one’s reliance on the material provided. Please also note that such material is not updated regularly and that some of the information may not therefore be current. Consult with your own financial professional when making decisions regarding your financial or investment management. Ⓒ 2021 Bank of America Corporation.