Also known as CEO/Chairman fraud, business email compromise is one of the emerging forms of cybercrime that is frequently targeted at SMEs. It combines the techniques of malware and phishing to trick users into revealing confidential business information, leading to huge financial damage.
What is business email compromise?
Typically, a fraudster will email a company's payments team, impersonating a contractor, supplier, creditor – or even someone in senior management. The email may appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often, it instructs the recipient not to discuss the matter with anyone else.
Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until it’s too late. Cybercriminals may even hack into a real email account, from which fraudulent communications are harder to identify.
Business email compromise in the real world
The payments team received an email from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester's email address did not exactly match the CEO's, it was two days later and the perpetrator had stolen nearly USD400,000.
Global commodity trading platform provider
An employee received an email from the CEO, requesting a new payment. This was authorised and made by two other staff members – the first employee even confirming with the CEO that the payment was legitimate. It was later discovered that the CEO's email had been compromised and that the CEO and employee had been talking about two different payments. The company lost USD1,200,000.
How to defend your business against BEC attack?
The risks of business email compromise can include significant financial loss and reputational damage. Here are some ways you can protect yourself:
- make sure your customers' staff are alerted to this type of fraud
- implement a two-step payment verification process which includes a non-email check (example: phone/SMS) with the initiator
- always use known contact details to follow up an email request
- don't reply directly to the initial email, or use any phone numbers or other contact information included in the email
- check email addresses
What seems legitimate at first glance may well be fraud
Find out more about Protecting your business from cybercrime
One of the most common forms of cyberattack, bank phishing operates through emails, calls and texts, which are often convincing and appear to come from legitimate senders.
Short for ‘malicious software’, malware is coded with the intention of stealing confidential information from individuals and businesses. Once it breaches a computer or network, it can also spy on internet activity and damage data. An increasingly common form of attack is the fraudulent redirection of internet banking users.
Text and phone scams
This form of fraud spoofs the contact details and websites of legitimate sources to trick targets into making payments or revealing confidential information. Scam calls and texts are often referred to as ‘vishing’ (voice phishing) and ‘smishing’ (SMS phishing) respectively.