What is Business Email Compromise?
A fraudster emails a company's payments team, impersonating a contractor, supplier, lawyer, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often, it instructs the recipient not to discuss the matter with anyone else.
Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account from which fraudulent communications are hard to identify.
Business email compromise in the real world
Email compromise thwarted
A finance assistant received an email that appeared to be from one of his colleagues, instructing him to create an urgent payment.
The assistant was on annual leave at the time, but had checked his emails and responded asking if it could wait until his return. He received confirmation that this was fine.
On his first day back, he created and authorised the payment. HSBC, however, identified this as a suspicious transaction and put it on hold. The assistant was then contacted by HSBCnet Fraud Operations team to verify the payment.
The assistant confirmed that he had created and authorised the payment, but the team encouraged him to re-check it given the prevalence of this scam. When he did so, by speaking to the colleague he thought had made the original request, he discovered that it was fraudulent and that his colleague’s email had been compromised.
The assistant informed the fraud team and the payment was withdrawn. On this occasion, no money was lost.
The importance of communication
A member of a finance team received an urgent email from the company’s CFO to make a payment transfer.
The instructions were marked as private and confidential relating to a deal and stated that the matter should not be discussed with any other member of staff as it may jeopardise the deal’s closure. The finance staff carried out and authorised the transaction.
Later the same day, the finance staff saw the CFO and mentioned that he had carried out the payment as instructed. The CFO looked puzzled and asked, ‘What payment ?’
If the finance staff had simply called or spoken with the CFO to verify the transaction ahead of pressing the ‘Submit’ button, they would have discovered that this was not a legitimate request and that the CFO’s email had been compromised.
The risks to business
- Significant financial loss
- Reputational damage
How can I defend my business against email compromise?
- Make sure your staff are alert to this type of fraud. In particular, they should:
- be wary of requests for secrecy or pressure to act quickly;
- never post sensitive information, such as job descriptions, duties or organisational charts, online;
- be suspicious of sudden changes with regards to business practices both within the organisation or with suppliers, and verify such changes through alternate channels; and
- carefully scrutinise payment requests where they are out of the ordinary, unexpected or unusual.
- Implement a two-step payments verification process that includes a non-email check (e.g. phone/SMS) with the initiator.
- Always use known contact details to follow up an email request, but don't:
- reply directly to the initial email; or
- use any phone numbers or other contact information included in the email.
- Check email addresses.
- If in doubt, do not make the payment.