Client Portal
Hall Morrice

It’s easy to delete the email from the billionaire African prince… But not one from the boss asking for immediate action

shutterstock 1826032604 comp
8 December 2021

It’s easy to delete the email from the billionaire African prince… But not one from the boss asking for immediate action

Just how aware are we all of how easy it is to compromise our whole business with just one click of the mouse?

Phishing emails have evolved since the first recorded use of the term in 1996 and we’ve evolved to spot some of them; from African princes who have a fortune they need your help to wire overseas to long-lost relatives in dire financial crisis and dating scams to money for medical emergencies. We’re more savvy these days about these spoof financial requests.

But the scammers are evolving faster and one of the greatest risks today is business email compromise where senior executives are tricked into transferring funds or divulging sensitive information. It’s now known as business email compromise (BEC).

BEC criminals undertake a lot of research to find the right person to target within an organisation, their chain of command and even the best time to send an email. BEC is more of an attack on social engineering than one on security systems.

We have seen many examples of senior employees receiving an email purporting to come from their boss asking them to transfer funds for an “urgent” deal. Undertaking the fraudulent instructions can lead to large losses as well as a breakdown in relationships between employees and senior managers.

The use of emotive language from the supposed ‘boss’ can be convincing and this emulation of a CEO’s style can be at the heart of a scam like this.

Taking the time to research individuals using work websites and personal emails gives the fraudsters valuable information, so everyone should review their privacy settings to restrict what can be seen about you as an individual. This also applies to things your friends and family say about you.

If something appears suspicious then it should be flagged as junk or spam and your IT team should be informed. If you do click on something suspicious, then the earlier you tell your IT department or firm the better.

However, it can be hard to spot what is suspicious. Some red flags include:

  • A senior manager asking for unusual information – most individuals will want to respond promptly to a request from management and this is something the fraudsters count on.
  • A request from a boss to keep something confidential and not to share with others.
  • Bypassing usual channels – especially for accounting, bills and payments or asking for urgent digital transfers – sometimes out of hours.
  • Use of unusual language or a different date format.
  • A reply to address which doesn’t match the sender’s email or a lookalike domain with one letter or digit changed.
  • Is the design quality of the logo as you would expect?

Having the confidence to ask ‘Is this genuine?’ can go a long way to preventing BEC attacks.

Take the time to read this excellent guide to BEC from the National Cyber Security Centre.

Business email compromise infographic


Back to News & Articles