Business Email Compromise (also called E-mail interception fraud) is a type of scam that targets companies and individuals who do electronic funds transfers from one person or entity to another. The fraudsters hack the victims’ email accounts, intercept and redirect invoices and then change the banking account details on those invoices to reflect their nominated account details. It is done so cleverly that the victims do not notice anything untoward! A combination of email spoofing (Spoofing changes a letter or domain in the email address to make it appear legitimate), computer intrusion (hacking) and social engineering (the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes) is required to pull off this type of scam.
Although considered a low-tech type of financial fraud, it has proved to be a rewarding scam for fraudsters. According to the Federal Bureaus of Investigations’ (FBI) 2018 Internet Crime Report (ICR), losses from this scam amounted to almost $1.3 billion in 2018 with 20 373 people/companies falling victim. The FBI also advised that there was a significant increase to this type of fraud between May 2018 and July 2019.
According to the South African Risk Information Centre (SABRIC) and the Ombudsman for Banking Services (OBS), South African consumers have also been targeted by this fraud. The OBS’ Reana Steyn advised that, “From the formal complaints lodged and investigated by the OBS between 2018 and 2019 (to date), over R10 million was stolen from businesses/individuals through this type of fraud. Ms. Steyn also advised that the reason that such losses are usually not being able to be mitigated by the victim or their bank, is due to victims only becoming aware of the scam a few days after the transfers, and by then it is too late for recoveries, in most instances.”
Tips from the OBS on how to protect your funds:
- Do not reply to suspicious emails and carefully check the senders email address
- Keep employees educated on the latest threats so that they may remain vigilant against dangers
- If you are running a business, inform your clients that your banking details will never change. If they receive any correspondence announcing a change in bank details, advise them to contact you and verify the banking details before paying.
- If you are the individual who is supplying banking details, do not email invoices with bank details.
- Any requests for a change in beneficiary account details should be verified by contacting the sender using normal, legitimate historically sound contact details, and preferably a personal phone call.