Fraudsters are continually engineering creative ways to target victims in any way they can. Did you know that business email compromise fraud is the largest business-related fraud type in South Africa? It is responsible for substantial annual losses to businesses across all sectors.
What is business email compromise fraud?
Fraudsters use phishing techniques to compromise a business or personal email account, with the target victim tricked into revealing their username and passwords. For the uninitiated, phishing is the practice of sending emails on the pretence that the email originates from a reputable company, generally known to the email recipient, with the intention of luring the victim into revealing personal information, such as email account details that will permit the fraudster to gain access to that mail account.
Once the fraudster has gained access to the email account targeted, they set up filter rules to divert critical emails pertaining to financial transactions to themselves. Diverted financial transactions are then targeted to amend beneficiary banking details, and instead of the correct supplier being paid for the goods delivered or services rendered, the fraudster is.
Consequences if you are the victim
As the victim of business email compromise fraud, you will receive an inbound email from a supplier or service provider (i.e. a sender that is familiar to you). However, the banking details included in this email have been amended by the fraudster prior to your receipt of the email. The fraudster’s objective is to lure you into paying the funds due into their bank account instead of the correct supplier. If you complete the process of payment to the fraudster, you will still be liable for payment to your supplier.
The standing legal precedent in South Africa holds that the payee of a debt bears the onus of ensuring payment account details are correct. If you fail to verify these details, you could be held liable for the loss, even if the sender’s email account was hacked.
How to prevent falling victim to business email compromise fraud
It is very difficult and potentially impossible to recover funds inadvertently paid into a fraudster’s bank account, especially since fraudsters endeavour to withdraw the monies as soon as they arrive. By being vigilant and familiarising yourself with these common scams, you can protect yourself with these four simple rules:
- Implement 2-step verification on all email accounts.
- Should you receive new banking details for the first time, always verify this information before making a payment.
- In the telephone verification, ensure your verification is performed to a telephone number that you have independently sourced.
- Fraudsters spoof original emails and use the same mail string as an existing mail conversation, so don’t automatically assume banking details could not have been altered.
At the MMS Group, our Management Consulting team assists our clients in formulating implementable action plans to address areas of business risk. Reach out to our team for a confidential discussion on your business risk and fraud exposure concerns.