Business email compromise (BEC), where criminals steal money by simply ‘asking for it’, is on the rise. According to an Interpol report, BEC is one of the top five digital threats in Africa – and South Africa is the most likely target, shouldering 34% of the continent’s attacks.
Ryan Mer, CEO of eftsure Africa, a Know Your Payee™ (KYP) platform provider, says these attacks can take many forms, but are typically orchestrated through emails that appear to come from legitimate sources. “In many cases, criminals intercept email accounts or pose as known clients or suppliers of an organisation and request the transfer of funds. While legislation like the Financial Intelligence Centre Act (FICA) and Protection of Personal Information Act (POPIA) requires the responsible gathering, scrutiny, and storage of information, BEC remains a threat to any organisation and its clients.”
Though antivirus programmes help to some degree, BEC requires user vigilance more than anything.
Here are three things you can do to avoid becoming a victim:
Education and training
BEC scammers most frequently target executives and other employees with access to company finances, though any employee can fall victim. Often, they will gain access to a company’s network via spear-phishing, malware and fake email accounts and websites. They may also spend long periods researching vendors, billing systems and even employees, especially top executives, and those in accounts payable.
“The most common trick is to select a legitimate invoice from a trusted associate or supplier and modify it, for example, by changing the bank account and contact details,” says Mer. “They will then send this ‘invoice’ to the target from an email address that looks similar to that of the associate, requesting payment. More sophisticated attackers will even find out when an executive is out of the office to send an email that looks like it’s from him or her to a targeted employee, requesting that money be urgently transferred.”
All employees should be equipped with skills and tools to spot threats and respond effectively. This should include systems to validate any changes in vendor payment details. If this is done by phone, ensure previously known phone numbers are used, not those in the email request. Encourage employees to actively verify money transfer requests, for example by walking into senior executives’ offices.
Protect with technology
Mimecast’s 2022 state of email security report found that 87% of South African organisations were made aware of a spoofing attack using a lookalike domain or website clone, with 17% seeing more than ten such attacks in the past year. For this and many other reasons, 98% of South African companies either use or plan to use a protection service this year, while 86% use or intend to use DMARC (domain-based message authentication, reporting and conformance) to protect their email domains from impersonation.
But email protection can only do so much. Independent third-party verification systems such as eftsure’s “Know Your Payee” solution can be much more effective by automating payment checking and supplier verification, saving time on manual processes and reducing human error. “Our fraud tech platform protects your organisation by verifying key supplier details, including the banking details you use to process electronic payments. Through payment screening, you can ensure that the account number is correct before releasing funds. This process makes sure that the funds are being sent to the legitimate recipient,” says Mer.
Email hygiene
Mer gives these email best practice tips to further reduce your risk:
- Establish email rules that flag emails with extensions that are similar to company emails and emails where the “reply” email address is different from the “from” address shown. Colour coding and labelling can also help by automatically sorting internal from external accounts.
- Implement privacy and security steps when you first create an email account for new staff members. This should include strong passwords at a minimum, preferably with multi-factor authentication as an extra layer of security.
- Encrypt email messages to protect sensitive information by enabling secure/multipurpose internet mail extensions (S/MIME) on Outlook or Gmail. This not only protects the content of emails but uses digital signatures to verify the identity of the sender.
- Use secure email gateway providers to block email-based threats like spam, viruses, malware, or denial of service attacks before they reach your mail server.
- Regularly review activity and sign-ins on email accounts to identify any suspicious activity.
