Business Email Compromise

What is it?

Most people use one email address for all their online accounts and interactions. When criminals access (“hack”) your email account and use it to communicate as if they were you to access your accounts, this is known as ‘Business Email Compromise’ (BEC). They usually gain access to your email account by stealing your username and password through phishing, smishing and vishing other means.

Most common types of attacks:

  1. Your email account is compromised:
    1. The attacker sends a fake invoice with invalid bank details to a vendor from your mailbox 
    2. The attacker edits an invoice from a vendor, changing the banking details and you pay into the fraudster’s bank account
  2. Someone you trust has a compromised email account:
    1. The attacker sends an invoice from a trusted person's email account. It looks valid but the payment instruction is false.

Signs that your email address may be compromised

  • People complain that they are receiving spam email from you.
  • You are not receiving emails, or the emails you send are not being delivered.
  • You experience difficulties with logging into your email account.
  • The are emails in your sent items folder that you did not send.
  • The settings have been changed.

If you suspect that you have been hacked, change your username and password immediately and notify your email service provider.

Prevention tips

  • Make sure you have good antivirus and firewall protection on your PC. Update it regularly.
  • Don’t use one email address for your online life. Create separate addresses for banking, online shopping, promotions etc.
  • Use strong passwords that contain several different combinations of numbers, letters and symbols. Avoid using names, birthdays and sequenced numbers.
  • Never list your email address publicly – on social media, online forums etc.
  • Don’t use public computers to check your email.
  • For your email account and financial transactions always use two-factor authentication (e.g. one-time password, SMS or email).
  • Be careful when sharing financially sensitive information - email is not always a secure channel.
  • Confirm your bank details by sending a text message or calling the recipient.