News & Events


According to a recent public service announcement, the FBI's Internet Crime Complaint Center ("IC3") states the business email compromise (BEC)/email account compromise (EAC) scam continues to grow. BEC is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The EAC is a component of BEC targeting individuals that execute wire transfer payments. The scam is carried out when a subject compromises legitimate business email accounts through social engineering (ex. phishing) or computer intrusion techniques to make unauthorized transfers of funds. Victims of the BEC/EAC scam range from small businesses to large corporations. Between January 2015 and December 2016 there was a 2,370 percent increase in identified exposed losses. The scam has been reported in all 50 states and 131 countries. The domestic and international exposed dollar loss exceeds $5.3 billion. Exposed dollar loss includes actual and attempted loss in United States dollars. 

The IC3 stated businesses with an increased awareness and understanding of this scam are more likely to avoid falling victim and sending fraudulent payments. Also, businesses with robust internal prevention techniques have been successful in recognizing and deflecting BEC/EAC attempts. 

Suggestions for protection include: 

  • Alert employees with disbursement responsibilities to be suspicious of requests for secrecy or pressure to take action quickly.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been through company email, the request could be fraudulent. Always verify via other channels that you are still communicating with your legitimate business partner.
  • Verify changes in vendor payment location by adding additional two-factor authentication such as having a secondary sign-off by company personnel. 
  • Confirm requests for transfers of funds. When using phone verification as part of two-factor authentication, use previously known numbers, not the numbers provided in the email request.

Other steps UHY suggests are:

  • ACH functions should only be performed from a hardened desktop machine with limited internet connectivity to exclude access to social media or personal email.
  • Two factor authentication should be linked to a corporate desk phone or a hardened corporate cell phone.
  • Do not use descriptive titles that bring attention to your transaction server such as "disbursements".
  • Consider a cybersecurity risk assessment by a qualified advisor.

UHY Advisors can help assess your risk and develop the training and awareness programs you need to avoid falling victim to these scams. Contact your local UHY Advisors professional.