Impersonation Attack Awareness

What you should know to prevent Business Email Compromise (BEC).

What is Imposter Fraud?

Imposter fraud occurs when a criminal (typically using email) pretends to be from a place you trust (e.g., vendor, business partner, etc.) and tricks you into sending them money and/or revealing personal information. This type of attack can take many forms, but recently businesses and their employees have been especially targeted.


What specifically are the cyber-criminals doing?

One common scam is called Business Email Compromise (BEC) or Business Email Impersonation, which uses email to trick customers. The BEC scam is so effective that the FBI estimates that over $12 billion has been stolen from legitimate businesses over email.*


How does the BEC scam work?

The scam typically begins one of two ways:

1) You could get a “spoofed” email, which is an email that appears to come from someone you trust, but is actually from a completely fake email account.

2) You could get an email from a hacked account of a company executive, business partner, or a trusted vendor/supplier. In both emails, the criminal asks you for something you may be able to assist with like sending an urgent payment or updating account information for a transaction. Similar scams have also been seen using SMS (text) messaging in addition to email.


What are some common red flags that might suggest an email scam?

  • A vendor/trusted business partner claims to change their bank and needs payment ASAP
  • An urgent email from the CEO about a late payment with new or updated wire/ACH instructions
  • A supplier asks for payment for a service rendered and gives account information that is different from what you have on file


What happens if I accidently make a payment to the cyber-criminal?

Sadly, People’s United Bank has little or no chance at recovering the funds once the transaction is made, because typically the criminal immediately moves the funds to a different account. In addition, since you are an “authorized” individual who can make these payments, it almost impossible for us to be alerted that your transaction is resulted from a scam.


How can I avoid becoming a victim of BEC scams?

  • Verify every request to transfer money or change payment instructions
  • Validate the payment instructions or account information in the email by calling the person, vendor, or business using a phone number you have on record
    • Don’t reply to the original email to verify the request as it may be the cyber-criminal
    • If the request is from your CEO or other company leader—Call them or their admin assistant first to validate the request
  • Require a second person to validate every payment
    • Develop a protocol so that two individuals on separate computers initiate and/or approve any transfer or change to payment instructions to create a safety net
  • Review carefully every email requesting a transaction or change to payment instruction
    • Look for signs of fraud (e.g., strange email address, odd wording, misspelling/bad grammar, urgent requests, etc.)
  • Establish a company-wide procedure for processing transactions and changes to payment instructions.
    • Prevent confusion and help prevent this scam with easy-to-follow steps for verifying every payment request
  • Protect your email and computers
    • Use Multi-Factor Authentication for all remote access points into your company systems that are accessible over the internet including those for email and MS Office applications
    • Utilize an email security solution that has the capability to detect/block impersonation scams like BEC
    • Work with IT staff or service providers to ensure that your email system is configured securely
  • Train your employees
    • Ensure your employees know about the procedures to defend against scams
    • Employees should receive regular security training to detect and respond to threats


Where can I get more information?

For more information about this scam and ways to protect your business, please visit:

*www.ic3.gov/media/2018/180712.aspx

www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity

www.ftc.gov/system/files/attachments/business-email-imposters/cybersecurity_sb_business-email-imposters.pdf

Suspicious message?

People's United Bank will never send unsolicited emails asking customers to provide, verify, or update Passwords, PINs, or Account information such as Social Security number, Account Number, Credit Card Number, or other personal information. If you receive a suspicious email that appears to be from People’s United Bank, please forward it to abuse@peoples.com.

Reporting fraud

If you suspect you are a victim of a of a BEC scam, please contact Treasury Management Services immediately at 800-525-9248 (Mon-Fri, 8am-5:30pm).





If you are a victim of identity theft

Contact People's United Bank at
1-800-894-0300 or online, if you feel your People's United accounts have been affected.




© 2019 People's United Bank, N.A.