12 January 2017

Guidelines on Business Email Compromise (BEC) Fraud

There has been an increase in reported BEC fraud in recent years. Therefore, we would like to share some guidelines on how to identify and avoid becoming a victim to BEC fraud.

What is BEC fraud?

BEC fraud is a type of sophisticated scam targeting companies of all sizes, from global corporations to small businesses especially those with multiple suppliers and / or those who make regular payments. The cyber criminals typically target a selected group of people within an organization such as the Chief Executive Officer (CEO), Chief Financial Officer (CFO) or other members of senior management and impersonate them to instruct members in their organization to transfer funds or provide confidential information of value directly to the attackers.

How is BEC typically carried out?

  1. Email spoofing
    • This involves the manipulation of an email address to make the sender’s email address appear to be sent from someone or somewhere other than the actual source.
    • The cyber criminals typically spoof a vendor’s email address to submit a modified invoice. It doesn’t require compromising the vendor’s email system, but instead sends the invoice from an email address that closely resembles the domain of the vendor such that most people would not notice the difference, for example, @CompanyABC.com instead of @Company.ABC.com.
    • In most cases, the contents of the email are also designed to appear legitimate.
  2. Compromised Email Account
    • This involves the compromise of an executive’s email account within the organisation, such as the CEO or CFO.
    • The cyber criminals would send an email issuing an urgent payment instruction from the compromised email account to a staff member, often junior employees, to action. Usually no other parties are copied in such emails. The junior staff may even be advised not to discuss the email with their colleagues.
    • These emails may start out as harmless interactions and then build up to a more substantial attack. For example, the sender may start by asking, “Hey, are you at your desk?” and escalate to a request for a wire transfer only after a few more interactions.
    • In some cases, these criminals use services like LinkedIn to gather information on business relationships, employee names and positions, and even a CEO or other executive’s written communication styles.
    • Criminals may also time attacks to correspond with the busiest times of day. That’s when recipients would be more inclined to hastily act on a request without carefully examining an email or asking questions about a transaction.

Precautionary measures against BEC fraud

  • Be wary: Asking for clarification, forwarding an email internally, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in another part of the world.
  • If something doesn't feel right, it probably isn't: Trust your instincts. Ask "Would my CEO actually tell me to do this?" or "Why isn't this supplier submitting an invoice through the normal channels?"
  • Slow down: Criminals often time their attacks around the busiest periods of the day. If a staff is in a hurry to process payment requests, he / she is less likely to pause and consider whether a particular request is out of the ordinary.
  • Initiate a call back using registered records: Do not use numbers mentioned in the email.
  • Check the ‘Reply-to’ field: Although every email platform is different and many make it difficult to see the ‘Reply-to’ field, once you click Reply, check the email address. Is it a legitimate internal or external email address? Does something look unusual?
  • Watch for the use of personal accounts: In some cases, criminals may also use what appears to be a personal email account so that the ‘Reply-to’ field is less suspicious. For example, [ceo name]_personal@gmail.com. This would often not flag spam rules and could appear legitimate. The use of personal accounts, though, should be a warning sign for recipients.
  • Do not access company email via a public device or free Wi-Fi.
  • Be mindful of information shared on social media platforms.
  • Do not disclose hierarchical information in the out-of-office details.

What do you do if you receive a suspicious email?

  • Do not respond without verifying its authenticity.
  • Do not click on any attachments or hyperlinks in the email
  • Refer the matter to the appropriate person within the organisation if an email appears suspicious.
  • If the suspicious email is from a vendor/supplier requesting payments to be redirected to another account, validate this request via phone with a suitable representative of your vendor/supplier
  • If you suspect that your company has made payments arising from BEC fraud, please contact the Bank immediately to provide the necessary information that would enable them to recall the funds and concurrently lodge a police report. The earlier the Bank is informed of such fraudulent payments, the higher the chance of recovery.

Next steps

The guidelines above can be used to create discussion points within your respective organisation to formulate sound internal policies as preventive measures against such threats.

For more information or to report an incident, please contact your HSBC Relationship Manager.

Contact us

Customer Service and Technical Support

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.