Business Email Compromise

Back to Protecting Your Business

Cyber-attacks have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is Business Email Compromise, also known as CEO or Chairman Fraud. The most frequent targets of this scam, small and medium-sized businesses, can lose huge sums because of one spurious email.

What is Business Email Compromise?

A fraudster emails a company's payments team, impersonating a contractor, supplier, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often it instructs the recipient not to discuss the matter with anyone else.

Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account - from which fraudulent communications are hard to identify.

Business email compromise in the real world

US based business: $400,000 loss

The payments team received an email from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester's email address did not exactly match the CEO's, it was two days later and the perpetrator had stolen nearly $400,000.

Global commodity trading platform provider: £920,000 loss

An employee received an email from the CEO, requesting a new payment. This was authorised and made by two other staff members, the first employee even confirming with the CEO that the payment was legitimate. It was later discovered that the CEO's email had been compromised, and that the CEO and employee had been talking about two different payments. The company lost £920,000.

The risks to business

  • Significant financial loss
  • Reputational damage

How can I defend my business against email compromise?

  • Make sure your customers' staff are alert to this type of fraud.
  • Implement a two-step payments verification process which includes a non-email check (eg. phone/ SMS) with the initiator.
  • Always use known contact details to follow up an email request - but don't:
    • reply directly to the initial email; or
    • use any phone numbers or other contact information included in the email.
  • Check email addresses.

What seems legitimate at first glance may well be fraud

Find out more about HSBC Cybercrime

Phishing

One of the most common cyber-attacks, phishing operates through emails which are often convincing and appear to come from legitimate senders. These messages entice their targets to click on links or attachments which, in turn, facilitate theft or fraud.

Malware

Malicious software is coded with the intention of harming its target. Affecting private and corporate users alike, it can steal information, damage data, hijack website visits and spy on internet activity. Fraudulent redirection of internet banking users is an increasingly frequent form of attack.

Text and phone scams

Texts and phone calls can be used maliciously to facilitate theft and fraud. ‘Vishing’ calls try to alarm recipients into making payments or providing important financial information. ‘Smishing’ texts may additionally try to entice their target to click on malicious links, activating trojan viruses which can steal passwords and other high-value data.

Step 1 of 3

We're here to help

Interested in knowing more about our business products and want to take the next step? If so, let us call you back to discuss your needs. Simply fill in and submit your details.

Need help?

Get in touch to learn more about our banking solutions and how we can help you drive your business forward.