skip to main content


Technology, Risk & Compliance

In an age of increasing reliance on secure information technology, information security and compliance has become more important in helping customers determine if security controls are operating as intended and how well their data and intellectual property are protected.

Sharks and Fish

Sharks and Fish

Business Email Compromise (BEC) continues to be one of the easiest means for sharks to fraud fish out of tens of thousands of dollars. Spotlighting Barbara Corcoran, real estate mogul and Shark Tank judge, we see very publicly the simplicity and effectiveness of these attacks. Anyone paying just a bit of attention will recognize the highly successful businesswoman and expect that to operate at her level requires a team of trusted individuals to help her run efficiently. By doing a bit of reconnaissance and research, an attacker determined that Barbara relied heavily upon her assistant Emily. A bit of deeper research and the attacker determined Barbara’s bookkeeper was Christine, who ultimately had the ability to wire funds. Using additional public data related to a development project in Germany that Barbara was a part of and legitimate company names associated with the project, the attacker had enough information to form a believable story to start the BEC. By registering a domain that was very similar to the one Emily used, the attacker created an invoice for $388,700.11 and created an email that appeared to send the invoice to Emily, to which the attacker then forwarded to Christine from the fake Emily account for payment. When Christine responded back via email for what project this related to and which account to apply it to, the attacker quickly referenced the development project in Germany along with the real company name associated with it. As everything appeared to be as expected, the invoice was paid via a wire transfer and the BEC was successful.

Thankfully in this case, the transfer was frozen by the German transferring bank before it was deposited in the attackers account in China. By noticing and alerting the banks quickly and a vigilant fraud department at the bank, all of the funds were returned to Barbara. In most cases, the outcome is not so positive. In the recently released FBI’s 2019 Internet Crime Report (, BEC crimes were by far the most damaging and effective type of cybercrime. 23,775 victims (who reported) accounted for $1.77 Billion in losses which averages out to $75,000 per complaint. If you compare this to the average phishing compromise of $500/complaint or $4,400/complaint for ransomware, it is evident that BEC is a lucrative crime business. According to the FBI, the last calendar year saw both the highest number of complaints and the highest dollar losses reported since the center was established in May 2000.

At UHY, we expect to see high rates of BEC and ransomware to continue this year and likely rise. These require only a bit of online research, very little to no technical skills and cost to initiate and are highly effective. The criminals will continue to pursue the exploits that are easiest and most profitable to accomplish which is currently BEC and ransomware.

What are the best practices for us fish to stay safe? As with most attacks, a layered defense approach will work best. There are no perfect solutions, and vigilance and human intuition can be the best defense. Checking bank statements every day and performing a face-to-face or, at a minimum, a voice call to an approver before any significant wire transfer takes place are two significant controls to consider. Email and texting are not safe methods of authorizing or approving transfers. Often, if you can catch the transaction within 48 hours, you have a much greater chance of recovering fraudulent transfers. Additionally, the FBI recommends the following:

  • Use digital signature on both sides of transactions
  • Immediately delete unsolicited email (spam) from unknown parties
  • Remain vigilant of sudden changes in business practices
  • Avoid free web-based email if possible
  • Establish a company website domain and use it to establish company email accounts (not using free email services)
  • Be careful what is posted to social media and company websites
  • Be suspicious of requests for secrecy or pressure to take action quickly

Further the FBI’s Internet Crime report listed the following recommendations:

  • Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal as well as a Hold Harmless Letter or Letter of Indemnity.
  • File a detailed complaint with It is vital the complaint contain all required data in provided fields, including banking information.
  • Visit for updated PSAs regarding BEC trends as well as other fraud schemes targeting specific populations (real estate, pre-paid cards, W-2, etc.).
  • Never make any payment changes without verifying with the intended recipient; verify email addresses are accurate when checking mail on a cell phone or other mobile device.

Review and share these news stories and Internet Crime reports with your employees to continue awareness and vigilance. The sharks are always circling, and we need to stay aware.

Hide Firm Disclaimer


UHY LLP is a licensed independent CPA firm that performs attest services in an alternative practice structure with UHY Advisors, Inc., and its subsidiary entities. UHY Advisors, Inc.’s subsidiaries, including UHY Consulting, Inc., provide tax and business consulting services through wholly owned subsidiary entities that operate under the name of “UHY Advisors” and “UHY Consulting”. UHY Advisors, Inc., and its subsidiary entities are not licensed CPA firms. UHY LLP, UHY Advisors, Inc. and UHY Consulting are U.S. members of Urbach Hacker Young International Limited, a UK company, and form part of the international UHY network of legally independent accounting and consulting firms. “UHY” is the brand name for the UHY international network. Any services described herein are provided by UHY LLP, UHY Advisors and/or UHY Consulting (as the case may be) and not by UHY or any other member firm of UHY. Neither UHY nor any member of UHY has any liability for services provided by other members.

On this website, (i) the term "our firm", "we" and terms of similar import, denote the alternative practice structure conducted by UHY LLP and UHY Advisors, Inc. and its subsidiary entities, and (ii) the term "UHYI" denotes the UHY international network, in each case as more fully described in the preceding paragraph.