Protecting your Brex account

OverviewGeneral security tipsAccount takeoverEmail fraudProtect your Brex cardSecurity issuesCard testing attacks

Overview

We want to do everything we can to help you keep your account and business information safe. There are different tactics that bad actors might try using to gain access to your account. Being aware of them can help prevent unauthorized activity. This guide explains possible types of fraud and tips for protecting yourself and your company.

General security tips

Our multi-pronged approach to security at Brex significantly reduces cybersecurity attacks. Even so, it’s important that we remain vigilant together. To help protect your account, please follow these best practices:

  • Go to brex․com or dashboard.brex.com directly to access your account: Scammers may create fake ads and websites that appear in search results and look like Brex — to trick you into giving them your information. Avoid malicious search results by adding brex.com as a bookmark in your browser.
  • Be suspicious of any email, text message, or call that requests your personal or account information: Please do not click any unsolicited links or open any attachments. Brex will only ask you to open a link sent by email to verify your device when signing in from a different device, or after clearing your browser cookies.
  • Make sure your devices and applications are up-to-date: Software updates often include the latest security features to protect your device.
  • Monitor your account for fraudulent activity: If you suspect that someone has gained unauthorized access to your Brex account, please change your Brex password immediately. Create a password that has not been used on any other account.
  • Use 2FA: Brex requires two-factor authentication (2FA) for secure sign-in. Brex will never ask you to bypass 2FA or require you to install a browser extension to sign in.
  • Report any possible scam, such as a fake Brex website or ad: Reporting fraud is essential for preventing and addressing cybersecurity attacks.

If you run into any security concerns related to the tips above, or if you think your account’s security may have been breached, please contact Brex Support immediately.

Account takeover

Account Takeover (ATO) fraud is a type of identity theft where a malicious third party “takes over” an online account such as bank accounts, social media profiles, or email addresses. ATO takes advantage of users’ vulnerabilities, such as reusing passwords and falling victim to phishing scams. The foundation for a successful account takeover is access to a user’s account credentials. Here’s how attackers usually compromise legitimate accounts:

  • Brute-force attacks: This includes password spraying (guessing common passwords for a given user). The attacker, usually through an automated script, tries a username/password combination across many accounts until one works.
  • Phishing: Credential phishing remains a highly effective way to get a user’s password. Without barriers like multi-factor authentication (MFA), stolen credentials lead to compromised accounts.
  • Malware attacks: Keyloggers, stealers, and other forms of malware can expose user credentials, giving attackers control of users’ accounts.
Protect yourself against account takeover

We take the protection of your Brex account data seriously. However, because account takeovers often originate outside of our jurisdiction (such as in email or on the internet), there are precautions and actions on your end that we recommend you take to prevent unauthorized activity — in your Brex account or wherever else your business data might be stored or in use.

  • Unique sign-in credentials
    • Create unique, complex passwords. If possible, use a password manager to make it easy.
    • Monitor your credential use through services like haveibeenpwned.com, a site that lets you search for breaches where your information may have been exposed. ATO attacks rely heavily on the reuse of credentials, especially those exposed in third-party data breaches.
    • Change your password if you suspect fraudulent behavior may have occurred.
  • Employee education
    • Ensure employees are trained to recognize and report suspicious emails and phishing attempts.
    • Enforce strong password habits.
  • Protect your online environment
    • Keep software up-to-date.
    • Make sure all systems are secured, especially cloud-based and internet-facing systems.
    • Have employees use VPNs.
    • Implement MFA systems.
  • Be vigilant
    • Pay attention to suspicious activity and report it quickly.
    • Work with your internal security team to employ hardware and software monitoring tools.
    • Implement continuous password monitoring for exposed credentials to enforce password hygiene and mitigate threats as they arise.

Email fraud

Business Email Compromise (BEC) is a type of scam in which an attacker targets a business’s email to defraud the company. When BEC is successful, after gaining control of the email account, the attacker will typically try to defraud the company or others by impersonating either the company or an employee of the company. BEC usually starts with the fraudster posing as someone the recipient would know or trust, like a boss, coworker, or vendor. They may ask the recipients to make a wire transfer, divert payroll, change banking information for future payments, provide personally identifiable information, or send wage/tax forms. Fraudsters use a variety of impersonation techniques, such as creating copycat websites that appear to be legitimate but actually belong to attackers. They usually provide some form of an attachment or link for the recipient to click. For some BEC attacks, once the recipient clicks on the item, malware is then installed on the recipient’s computer and the attacker can gain access to the recipient’s computer.

Protect yourself against BEC
  • Be aware of unusual, out-of-pattern, or urgent requests by trusted employees or vendors. If it doesn’t feel right, it probably isn’t.
  • Avoid clicking on any links or attachments in a suspicious email or text message, especially if it indicates you will be locked out of an account or prevented from using services if you don’t take action.
  • Reach out to the sender via other means such as a phone call or video chat in order to verify whether they actually sent the request. Do not try to verify the email by using any of the contact information contained in the email.
  • Review the email domain and “reply-to” addresses for inconsistencies in the spelling of the sender’s email address or company name. Emails are often spoofed or typo-squatted (also known as URL hijacking) with additional letters like an extra “S”, “O”, or “T” to company names, invoices, or emails.
  • Set up MFA on any account that allows you to do so and avoid using easily identifiable information, such as answers to security questions. Always use unique passwords for each of your accounts, which is easy to accomplish by using a password manager.
  • Purchase and utilize anti-virus software from a reputable software provider.
Report suspicious emails

Brex staff will never ask you for your password nor will you ever need to provide your password or 2FA code anywhere except on the Brex sign-in pages (https://dashboard.brex.com and https://accounts.brex.com). The only code our support team will ever ask you for is a six-digit identity verification code. If you identify a suspicious email that appears to come from Brex, avoid clicking on any of the links or downloading any attachments. Instead, please contact Brex Support. If you’ve sent funds to a destination you believe may be fraudulent, immediately:

  • Contact your financial institution to report a fraudulent transfer and follow their instructions.
  • Contact your local law enforcement and file a police report.

File a complaint with the FBI’s Internet Crime Complaint Center.

Protect your Brex card

At Brex, we're regularly investing in security measures to better protect you and your card. To help us do this, please follow these best practices.

  • Do not share your card details.
    • Do not share your card details through a live channel (chat, email, or phone), even with Brex Support. Although we do everything we can to secure our systems, we cannot guarantee that your computer and network are secure.
  • Check out securely.
    • When making purchases, look for https:// at the start of your URL — nearly all https:// website traffic is encrypted. Only enter your card number during checkout on trusted sites.
  • Stay aware of scams.
    • Bad actors may try to gain access to sensitive information by posing as reputable sources. Never send your card number over email or other messaging platforms.
  • Monitor your transactions.
    • Regularly review your transaction history to ensure all payments are expected and legitimate. If you suspect that someone has gained unauthorized access to your account, please change your Brex password immediately and contact Brex Support.
  • Dispute fraudulent transactions
    • If you’re anticipating an unwanted charge coming through on your Brex card, you won’t be able to block it, but you do have other options. If you suspect that the charge might be attempted fraud, or a merchant is continuing to charge your card without your consent, please read about submitting a dispute.

Security issues

Brex values the trust our customers place in us. Protecting your information through the security and integrity of our systems, infrastructure, applications, and data is our priority. If you believe you have discovered a vulnerability in our systems or applications, we ask that you please disclose it to us in a responsible manner using the form below. All reports will be subject to our disclosure policy. By submitting the form, you acknowledge you have read, understood, and agreed to abide by the guidelines described in the disclosure policy. Brex will not take legal action against researchers who discover and report vulnerabilities in good faith and that adhere to this disclosure policy, and will work with you to validate the suspected vulnerability. You can learn more and file a disclosure on our responsible disclosures page.

Card testing attacks

A card testing attack begins with bad actors rapidly testing thousands of potential credit card credentials. They use various digital tools, including bots or scripts, that can cycle through hundreds or thousands of numbers on an ecommerce site. The main objective is to quickly identify a valid card and/or reveal a card’s missing security elements. This type of fraud is common across the entire credit card industry and does not necessarily mean that your card number has been compromised. Parameters like card expiry and CVV can prevent unauthorized charges. Unfortunately, processors and merchants do not always enforce these parameters. Security is of utmost importance at Brex and we take strong measures to protect your account, including:

  • Fraud alert notifications
  • Automatic card locking in response to suspicious activity
  • Working with major issuing banks to share learnings and implement industry-leading responses

If you see unauthorized charges, please file a dispute. You can also chat with our support team by clicking Support at the top right of your dashboard.

Was this article helpful?