How to recognize a business email compromise scam


So that’s the first step: keep your emotions in check. Yes, this can be difficult if you work in a demanding field. But it’s your best first line of defense, and your employer will thank you for it (or, at least, they should).

Always verify with another channel

Now that you’re doubting the legitimacy of the urgent request, check to make sure the email is coming from the person it claims to be. The best way to do this is to ask – just be careful.

“If you receive an email like this, it’s important to pick up the phone and call a number you know is legitimate,” Larson says, adding a warning. “Don’t trust the phone number in the email — it will belong to the person making the threat.”

This is an important point: any contact information in an email is likely to have been tampered with, and sometimes this is done cunningly. Use a phone number already saved in your phone for the person in question, or look up the phone number on an official website or in an official company directory. This applies even if the number in the email seems legitimate, as some scammers will take the trouble of getting a phone number similar to the phone number of the person they are impersonating, in the hope that you will call that number instead of the real one.

“I’ve seen phone numbers with two digits different from the actual phone number,” Tokazowski says.

Call the person who sent you the email — using a number you’re 100 percent sure is real — and confirm the request is authentic. You can also use another secure communication channel like Slack or Microsoft Teams, or, if they’re in the office, ask them face-to-face. The point is to confirm any urgent requests somewhere outside of the initial email. And even if the person is your boss or another bigwig, don’t worry about wasting their time.

“The person being pseudonymized would rather take the time to verify it than lose thousands or millions of dollars in a malicious transaction,” Larson says.

Check Email Address

Contacting the alleged sender isn’t always an option. If not, there are a few tricks you can use to figure out if an email is real or fake. First: Check the email address and make sure it’s from the company’s domain.

“Always check the domains you’re receiving emails from,” says Larson. Sometimes it will be obvious; for example, your CEO probably isn’t emailing you from a Gmail account. Sometimes it will be more subtle — fraudsters purchase domains that look similar to the company they’re attempting to defraud, all in the hopes of appearing legitimate.

It’s also worth checking to see if the email signature matches the address the email is coming from. “If you look in the footer, they’ll use the company’s actual domain to make it look legitimate, but it won’t match the email address,” says Larson. Just keep in mind that the difference can be subtle. “Lookalike domains are very common: someone will make a slight change to make it look legitimate, like ‘l’ instead of ‘i’.” If you’re suspicious, one way to test it is to copy the domain half of the address and paste it into a browser. If you don’t get a website, you’re probably dealing with a fake website.


Please enter your comment!
Please enter your name here

Share post:




More like this

Today’s Wordle hints, answers and help June 20, #1097

Today's Wordle answer shouldn't be too difficult, but if...

Europe is struggling for relevance in the age of AI

This concentration of power is inconvenient for European governments....

General Catalyst plans merger with Venture Highway in India

Silicon Valley-based venture capital group General Catalyst is expanding...