Business email compromise scams

Hear from Comerica’s Director of Fraud

How to spot impersonation scams 

Business fraud scams are on the rise, costing companies billions. Learn how to protect your organization from scams like bank impersonation, email compromise, and invoice fraud with expert insights from Comerica’s Fraud team. 

In this short video, you’ll hear practical steps to safeguard your business, such as how to spot suspicious calls, verify payment requests, and train your team to recognize red flags so you can stay ahead of fraudsters and protect what matters most. 

What is business email compromise?

Business Email Compromise (BEC) is a type of cybercrime where scammers impersonate trusted contacts to trick employees into sending money or sensitive information.

CEO impersonation
An email that looks like it’s from the CEO requests an urgent wire transfer to pay an invoice. This is unusual behavior for the CEO and should raise red flags.

Vendor payment diversion
A business with a long-standing supplier relationship is asked to send payment to a new (fraudulent) account.

Fake internal request
A supplier/vendor receives an email – that they believe is from you – asking for payment to an alternate, fraudulent account. 

Legal impersonation
A victim is contacted by a fraudster who impersonates a lawyer. The fraudster claims to be handling a confidential and time-sensitive matter and requests a transfer of funds.

W-2 or personal info theft
A compromised executive email is used to request employee W-2s or personal data from HR. This info is later used for tax fraud.

Gift card purchase scam
An employee receives a request from “management” to buy gift cards for a work event or gift. The scammer asks for the card numbers and codes to be emailed back.

How to protect yourself from becoming a victim

BEC scams rely on urgency and deception. Here’s how you can stay safe:

Slow down
Be suspicious of any request that pressures you to act quickly. Scammers often use urgency to bypass your usual caution.

Verify requests
Always confirm significant transactions or changes to payment details using a trusted method, like a phone call to a known contact.

Don’t just hit “reply”
Instead of replying to business emails, forward the message and manually enter the correct email address to avoid replying to a spoofed account.

Flag suspicious emails
For businesses, create inbox rules that flag emails with extensions that are similar to the company email domain. For example, a detection system for legitimate email of abc-company.com would flag fraudulent email from abc_company.com. 

Secure your domains
For businesses, register all domain names like your own actual company domain. For example, “abc-company.com” would also be registered to the legitimate company “abccompany.com.” 

Watch for unusual activity
Beware of sudden changes in customer activity or authorizations. For example, if a current business contact suddenly asks to be contacted via their personal email address when all previous official correspondence has been via company email, the request could be fraudulent. 

Limit public info
Avoid sharing sensitive business details on social media or your company website that scammers could use to craft convincing messages.

Suspect fraud? Act fast

Treasury Management customers: call 888-341-6490.
Others: contact your relationship manager or the nearest Comerica banking center. 
Suspicious email? Forward it to: ReportFraud[at]Comerica.com.

Related Content

Ready to strengthen your fraud defenses?

Contact Treasury Management Relationship Services at 888-341-6490.

Helpful resources 

Review Comerica’s information on Security Awareness for Business

Review tips as detailed in the FBI’s latest Public Service Announcement on www.ic3.gov

These suggestions are for informational purposes only. These suggestions are not intended, nor should they be used as an exclusive list of potential solutions aimed at the detection and prevention of cyber-crime and related fraud risks. Comerica is not an information technology expert and is not offering specific information technology or other computer systems advice. Accordingly, you and your company should consult your own computer systems or information technology expert(s) to adequately address any and all issues relating to cyber-crime detection and prevention including, without limitation, any potential computer or systems infection.