What is Business Email Compromise?
A fraudster emails a company's payments team, impersonating a contractor, supplier, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often it instructs the recipient not to discuss the matter with anyone else.
Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account - from which fraudulent communications are hard to identify.
Business email compromise in the real world
US based business: $400,000 loss
The payments team received an email from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester's email address did not exactly match the CEO's, it was two days later and the perpetrator had stolen nearly $400,000.
Global commodity trading platform provider: £920,000 loss
An employee received an email from the CEO, requesting a new payment. This was authorised and made by two other staff members, the first employee even confirming with the CEO that the payment was legitimate. It was later discovered that the CEO's email had been compromised, and that the CEO and employee had been talking about two different payments. The company lost £920,000.
The risks to business
- Significant financial loss
- Reputational damage
How can I defend my business against email compromise?
- Make sure your customers' staff are alert to this type of fraud.
- Implement a two-step payments verification process which includes a non-email check (eg. phone/ SMS) with the initiator.
- Always use known contact details to follow up an email request - but don't:
- reply directly to the initial email; or
- use any phone numbers or other contact information included in the email.
- Check email addresses.
What seems legitimate at first glance may well be fraud
Find out more about HSBC Cybercrime
One of the most common cyber-attacks, phishing operates through emails which are often convincing and appear to come from legitimate senders. These messages entice their targets to click on links or attachments which, in turn, facilitate theft or fraud.
Malicious software is coded with the intention of harming its target. Affecting private and corporate users alike, it can steal information, damage data, hijack website visits and spy on internet activity. Fraudulent redirection of internet banking users is an increasingly frequent form of attack.
Text and Phone Scams
Texts and phone calls can be used maliciously to facilitate theft and fraud. 'Vishing' calls try to alarm recipients into making payments or providing important financial information. 'Smishing' texts may additionally try to entice their target to click on malicious links, activating trojan viruses which can steal passwords and other high-value data.