It can take generations of hard work, sound investments, and discipline to accumulate family wealth. It can take just moments to compromise it.

Business email compromise (BEC) is a growing threat to U.S. businesses including family offices. Through the end of 2023, there were more than 158,000 victims of BEC scams in the U.S., with more than $20 billion in losses according to the FBI.

BEC is a scam that targets business customers by attempting to mimic legitimate communication from an executive, employee, customer, or another trusted individual. A scammer may solicit payment or seek credentials such as account numbers or login data through a fraudulent email that appears to have a legitimate purpose.  

“Family offices can be particularly vulnerable to business email compromise because wealthy families make attractive targets and often have an abundance of identifiable information in public record,” said Joe Quinan, head of Family Office Services at PNC Private Bank Hawthorn®. “That creates more of an opportunity for identity theft or imitation by bad actors.”

BEC can take many forms. Emails received may impersonate important individuals in the family or the family office; mimic a trusted vendor; use known branded templates; or simply create urgency or an emergency situation in an attempt to gain access to funds. BEC scams can be similar to other email phishing schemes, but often appear to be more sophisticated and target individuals in an organization that have access or authority to move money. While they may not always follow the standard email phishing playbook, there are some common tactics that you can look for to identify BEC attempts:

  • Pay attention to small details – EC scammers work to appear more buttoned-up than standard email phishing schemes that may be rife with misspellings, formatting errors, or junk email addresses, but it’s still important to look carefully at requests that come in on email to make sure they are actually from a rusted sender. Verify email addresses and look for inaccuracies or inconsistencies in tone that could indicate an email outside of your trusted circle.
  • Be wary of attachments – Avoiding suspect links is phishing prevention 101, but BEC scams will likely attempt to mimic more legitimate invoices, receipts, contracts, or other forms and templates that your business handles routinely. Give proper scrutiny to all attachments and verify them with a trusted sender before acting on them. 
  • Evaluate urgency – Often bad actors will request an urgent payment or craft an emergency demand in hopes you will make an impulse decision to pay. Take a step back or ask for a second opinion before making a rush decision based on an email request.      

“BEC scams can be hard to spot because they are generally designed to be more sophisticated and often are well-researched by those who perpetrate them,” said Debbie Guild, head of Technology at PNC. “Being vigilant to identify BEC is important but preventing it through preparation is even more critical.”

BEC is frequently the result of extensive preparation, research, and social engineering on the part of scammers. It should be part of your preparation as a family office as well. So, what steps should be taken?

  • Plan – Preventing loss from BEC is not a reactive measure. Make a plan for how employees and members of the family will identify, react, and escalate attempted scams. Encourage everyone at all levels to communicate openly and raise concerns when they arise.
  • Educate – Take time to educate both family members and employees of the family office on what BEC is and the hallmark signs of a scam. Make sure everyone is on board with established protocol for communication, money management decisions, and how the family office operates so they are better equipped to spot unusual activity. Continued education and training for all members of the family and family office is a necessity as threats and tactics evolve.
  • Invest – Invest in strong email security measures that can: help identify and quarantine malicious emails; ensure secure and multi-factor passwords to access accounts; and monitor for data breaches that could compromise email accounts or other personal information. Additionally, encourage security measures for personal devices that may be used to transact business on behalf of the office. But staying a step ahead is never a one-and-done-proposition. Continued review and investment in digital security measures is necessary to stay ahead of fraudsters.
  • Evaluate – BEC prevention is a continuous process. As bad actors develop new methods so should you evaluate how your family office is preventing and protecting against them. Communicate with employees of the office as well as family members to determine what components of your prevention program are working and what may need adjusting.
  • Consider – Research and consider whether separate cybersecurity insurance may be beneficial for your family office. Cyber liability insurance can help protect against lost funds and the costs of recovering data that may be lost as part of a cyber breach.

“Business email compromise can have devastating consequences for high-net-worth families, and unfortunately, these families will continue to be targeted by bad actors, who will continue to evolve their techniques and sophistication,” Quinan said. “It is crucial to stay vigilant and prepared so you can protect your family and your wealth for generations to come.”

Additional Reading: Reporting Business Email Compromise