Cyber-attacks on SMEs have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is Business Email Compromise, also known as CEO or Chairman Fraud. The most frequent targets of this scam, small and medium-sized businesses, can lose huge sums because of one spurious email.
What is Business Email Compromise?
A fraudster emails a company's payments team, impersonating a contractor, supplier, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often it instructs the recipient not to discuss the matter with anyone else.
Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account - from which fraudulent communications are hard to identify.
Business email compromise in the real world
US based business: US$400,000 loss
The payments team received an email from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester's email address did not exactly match the CEO's, it was two days later and the perpetrator had stolen nearly US$400,000.
Global commodity trading platform provider: US$1,200,000 loss
An employee received an email from the CEO, requesting a new payment. This was authorised and made by two other staff members, the first employee even confirming with the CEO that the payment was legitimate. It was later discovered that the CEO's email had been compromised, and that the CEO and employee had been talking about two different payments. The company lost US$1,200,000.
The risks to business
- Significant financial loss
- Reputational damage
How can I defend my business against email compromise?
- Make sure your customers' staff are alert to this type of fraud.
- Implement a two-step payments verification process which includes a non-email check (eg. phone/ SMS) with the initiator.
- Always use known contact details to follow up an email request - but don't:
- reply directly to the initial email; or
- use any phone numbers or other contact information included in the email.
- Check email addresses.
What seems legitimate at first glance may well be fraud
HSBCnet Service Hotline