It is now pretty much undeniable that Business Email Compromise poses a significant and growing threat to businesses and individuals alike.

The FBI recently published figures showing global losses totalling in excess of $12bn to Business Email Compromise scams.  In the UK there are a range of sources, all demonstrating that losses are significant and attacks becoming more prevalent:

  • ActionFraud – reported losses doubled during the financial year 2017-18 – with losses of over £77m
  • GetSafeOnline – a public / private partnership supported by government, leading banks, retail and internet security companies – have published research that suggests that nearly half a million SME businesses in the UK have been impacted by these scams
  • UK Finance research shows a total of £503.4 million was stolen from consumers by criminals through authorised and unauthorised fraud in the first six months of 2018
  • ActionFraud figures show losses to a sub-set of this fraud that takes place in property transactions – branded as Friday Afternoon Fraud – has more than doubled.   With the scammer targeting conveyancing solicitors the sums of money are eye-watering – the typical loss for an individual being just under £70,000

There is a consistent modus operandi to all of these scams.  Business Email Compromise is a fraud that relies on email and the way that we are conditioned to deal with emails. Typically it involves targeting people with access to company finances (or in the case of private individuals, sitting on an amount of money ready to pay for a significant property or construction purchase) and tricking them into making money transfers to the bank accounts of the fraudster.

In some cases email spoofing is used to create an email pretending to be from the CEO, a trusted customer, a trusted advisor or a supplier.  In more sophisticated scams the email is actually from the compromised account of the trusted sender.

Does Business Email Compromise have a favorite target?

Not really.   There is a correlation to targeting organisations with money – because that’s what the fraudster is after – but which sector is pretty even.     The size of company is also not important.

It’s easy to assume that bigger companies have better security measures.  But there are also more fragmented relationships and greater distance between big bosses and payment processing.  There’s more likely to be remote relationships with suppliers and the sheer number of transactions can make it easier to slip through the net.

But that doesn’t let small businesses off the hook.   Get Safe Online’s research of SMEs reveals one in twelve small businesses having fallen victim to this type of scam.   Data from Lloyds Bank indicates that the average loss to this scam is £27,000 (marrying up with ActionFraud’s own analysis showing over £22,000).

Law firms are most susceptible to falling victim according to the Get Safe Online research.  This is closely followed by HR Professionals, IT Workers and Finance Companies.     But the difference between sectors is not stark.

Which area of the business?

The fraudsters target the roles within the business with either authority or with responsibility for processing payments.   Chief Executives and Finance Directors have the authority – if a fraudster can successfully pose as ‘the boss’, then payments get made.   If a fraudster can deceive an Accounts Payable staff member, then they’ve got the money.

Invoice Hijacking is already prevalent and accounts for the majority of losses.  

An alarming new scam is targeting individual’s payroll.    In these cases the scammer poses as the employee and instructs the HR / Payroll rep to update their bank details – the FBI warned of this scam in the last quarter of 2018 and analysts saw an increased frequency throughout the period.     We’ve yet to see statistics for this in the UK, but experience tells us that this will only be a matter of time.

The evidence suggests that until businesses take action, we’ll continue to see the frequency of losses to Business Email Compromise increase.