U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

FRAUD ALERT: Business Email Compromise

Image of Fraud Alert bulletin

Fraudcast: Interview with Jason Abend, Assistant Inspector General for Investigations (transcript)

Fraud Alert

The U.S. Environmental Protection Agency Office of Inspector General is issuing a fraud alert to highlight an increasingly common and costly form of cybercrime known as business email compromise, or BEC. In this sophisticated scam, criminals are using fraudulent emails that appear to come from known and trusted sources to access to company email accounts and target organizations that make or receive financial transactions. These emails may originate from lookalike, or spoofed, email accounts or legitimate email accounts compromised through phishing campaigns. Using information obtained from successful phishing campaigns to impersonate a representative of the trusted entity, the criminals deceive personnel into transferring funds or sensitive information under the guise of a legitimate business request.

Using an email address that looks nearly identical to one that their victims are familiar with, scammers request changes to bank account information for invoices or other financial transactions. Scammers may take time to groom their victim, building trust and rapport, or they may try to pressure their victims into providing information quickly by claiming that the transaction is critical and time sensitive. In some cases, they may send a message with links or attachments containing malware that, when opened, give criminals access to sensitive information.

How can you protect your organization from BEC?

  • Create organizational policies for receiving new payment instructions, including a multistep process to verify new payment instructions. 
  • Employ email security systems that can detect phishing attempts, domain spoofing, and other cyber threats, and use two-factor authentication to combat account compromise.
  • Train staff regularly on cybersecurity best practices and how to recognize phishing emails and require them to report phishing attempts—even seemingly minor ones.

If you suspect that your organization has fallen victim to a BEC scheme, you should immediately notify your IT department and financial institution. 

If the BEC relates to a program or operation of the EPA or U.S. Chemical Safety and Hazard Investigation Board, report the incident to the EPA Office of Inspector General Hotline at OIG.Hotline@epa.gov.