Business e-mail compromise

Business e-mail compromise (BEC) is a scam where criminals literally ‘steal money by asking for it’

It is a type of scam where an attacker hacks into a corporate e-mail account and impersonates the genuine owner to defraud the company, its customers, partners, and/or employees by requesting them to send money or sensitive data to the attacker's account

Criminals may also utilise email spoofing, this involves an attacker creating and using an email address that is almost identical to that of a target organisation, to trick the recipient into thinking that an email containing a payment instruction, is from the usual authoriser.

There are three main variants of BEC scams:

The fake invoice scheme:

This scenario usually involves a criminal sending a false invoice to a victim purporting it to be from an organisation that the victim is very familiar with. This email will request the victim to make a payment of a specific amount to and supply them with the bank account details. At a glance and without the scrutiny of this email address, it seems genuine and this payment could be made without hesitation.

CEO fraud

This scenario involves the hacking or spoofing of an email address belonging to an executive in the company, it usually targets specific employees in organisations who are authorised to transfer funds or make payments. This email would be requesting that individual to perform various purchases, transfers and other financial transactions, and because this email appears authentic and does not raise any suspicions.

Account compromise

This scenario involves the attackers hacking an executive or employees email account and sending invoices and request for payment to vendors and other contacts the victim would have. These payments are made to fraudulent bank accounts that were supplied in the compromised email.

SABRIC warns ‘By the time the employee realises that funds have been paid into an incorrect account, it is too late as criminals use accounts belonging to ‘money mules’, who open accounts for this purpose and then further launder the money by quickly moving it into other accounts’

How to Protect Yourself:   

  1. Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
  2. Ensure the domain visible in received emails is associated with the business it purports to be from.
  3. Ensure that permissions are enabled to allow your employees to view full email extensions on their computers
  4. Be careful what you download. Never open an email attachment from someone you don't know, and be wary of email attachments forwarded to you.
  5. Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in an account number or payment procedures with the person making the request.
  6. Be especially wary if the requestor is pressing you to act quickly
  7. Organisations must also ensure that deploy multi-tiered risk mitigation strategies to prevent Business Email Compromises. These should include education and awareness for staff.