Last week, the legal community on the Africa continent was shaken after one of the Continent’s largest law firms (ENSAfrica) was nailed a 5.5M South Africa Rand Bill by the High Court in Johannesberg for failing to warn a property buyer of the threat of business email compromise (BEC) in a conveyancing transaction.
Read about this here.
The saga, once again, brings into sharp focus the integrity of electronic business transactions and has caused us to examine the threat of business email compromise and how we can all avoid it.
So What’s Business Email Compromise?
According to the FBI, Business Email Compromise, sometimes referred to as, email account compromise, is a type of online crime that thrives on the fact that most of us rely on email to do business – whether personal or professional.
Under this crime, a scammer poses as a trusted figure and uses email to trick someone into sending money or divulging otherwise confidential and /or sensitive company information.
According to Microsoft, the scammer asks for a fake bill to be paid or for sensitive data they can use in another scam.
This data can be any thing from phone numbers, employee details, bank accounts, among others, provided the information so requested can advance some sort of communication that can help fool a victim into trusting the scammer and ultimately lead to money being sent.
“Business Email Compromise is a form of hacking whose specific target is email correspondence. It’s not any different from any other form of hacking but what makes it unique is that it targets emails that are centred on business correspondence. The rationale for the target is that business email correspondences are mainly about transactions involving money.” Nasser Konde, a lawyer and IT Specialist told The Legal Reports.
For example, in the case involving law firm ENSAfrica alluded to in the introduction of this Article, the scammer was able to pose as the firm’s conveyancing secretary and communicate with the property buyer in a simulated conversation that fooled the buyer into thinking she was communicating with a legitimate representative of the firm.
The property buyer in this case trusted the brand of the law firm as anyone else would and the thought that she could be scammed never crossed her mind at any one moment because the scammer having successfully intercepted the email conversation between her and the law firm (this means the scammer gained access to one of the two email accounts), the scammer was able to identify conversation patterns only altering crucial information like the law firm’s bank account.
How do Business Email Compromise Scams Actually Work?
According to Microsoft, the first step in a BEC Scam is Research. The scammer (s) – sometimes operating in a criminal syndicate will research their targets first based on who can send or receive money.
The FBI says that although anyone can be a target of a BEC scam, typically scammers focus on governments, businesses, NGOs, schools, etc.
Generally, the following people are prime targets;
- Executives and leaders because details about them are often publicly available on the company website, so attackers can pretend to know them.
- Finance employees like controllers and accounts payable staff who have banking details, payment methods, and account numbers.
- HR managers with employee records like social security numbers, tax statements, contact info, and schedules.
- New or entry-level employees who won’t be able to verify an email’s legitimacy with the sender.
Once the research is done, scammers then embark on faking identities and gaining access into emails.
They can create fake websites and even register fake companies in a different country, Microsoft says.
Once they access an email (s), then they are able to monitor conversations to see who can send or receive money.
And they also monitor other useful information such as invoices and generally conversation patterns.
The scammer will then impersonate one of the parties in the email conversation by spoofing the email domain so that it appears like one that belongs to that person.
- Anthony Wameli: NUP Legal Gun Goes Silent
- LoP Mathias Mpuuga Shreds Chief Justice’s Comments On Trial of MPs Ssewanyana, Ssegirinya
- Uganda Kicks Out UN Human Rights Office
- ‘Shoot to Kill’ Case Against 3 Top Police Officers Adjourned
- The 12 Accredited Law Schools in Uganda (2023), Their Tuition Fees, Profiles, Locations, & Contacts
In the ENSAfrica case, the law firm’s email was spoofed so that “ensafrica.com” which was the authentic email domain- became “ensafirca.com.”
With access to the email, most likely of the property buyer, scammers successfully intercepted email communications from the law firm altering crucial details such as how to pay the money by encouraging the buyer to send money directly to the provided bank account instead of using a bank guarantee under guise of that being a tedious process and where to pay the money by replacing the law firm’s account with theirs.
Accessing the email enabled them to facilitate a simulated conversation hence building trust with the scammers.
Besides spoofing emails, scammers in BEC scams also conduct phishing.
As the name suggests, this is a practice aimed at acquiring information.
The FBI says scammers will send out emails that appear to be coming from legitimate sources asking you to reveal confidential information such as company accounts, passwords, calendars and data that they need to carry out their scams.
Use of Software
Scammers can also use malicious software (malware) to gain access into company systems and accounts to obtain information including email conversations, billing and invoices which they use to advance their scams.
How to Avoid BEC Scams
PRO TIP: Unless it is an absolute emergency, never transmit any sensitive information via email.
Use separate communication channels preferably telephonic communications because email is inherently insecure.
In fact, Microsoft says 91% of cyber frauds begin with email.
Having said that, there are measures you can still take to protect yourself from scammers;
Mind What You Share Online
Openly sharing things like pet names, schools you attended, links to family members, children names and your birthday, exposes you to cyber attacks because it gives a scammer all the information they need to guess your passwords and answers to your security questions, the FBI cautions.
Besides, flaunting your possessions and business successes can expose you to scams.
“One of the ways of avoiding Business Email Compromise is avoiding social habits that will make you a target for example bragging or over sharing business achievements on social media platforms. Ensuring that you have passwords that are not related to information that is public on social media like birthdays, names of pets and the like.” Nasser Konde says.
Be Wary of Click Baits
Don’t click on anything in an unsolicited email or text message asking you to update or verify account information, the FBI says. This extends to downloading any attachments from strangers.
Look up the company’s phone number on your own (don’t use the one a potential scammer is providing) and call the company to ask if the request is legitimate.
Do not open “emails from people that are strangers to you or that are not in anyway connected with what you do.” Nasser Konde cautions.
Also avoid accessing your email on other people’s devices, he adds.
One of the things I do when it comes to handling correspondence is setting time specifically for just that; reading emails and text messages.
This helps me to carefully internalise each message, do background checks on the sender and quite often I have found scammers – lots of them in my public emails – giving me business proposals, sending me unsolicited purchase orders, and the like.
Usually, I tell my scammers from the irrelevance of their emails and email description, carefully going over the URLs.
“Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.” The FBI says.
Use Available Tools to Enhance Email Security
Upgrade to email solutions that provide you with advanced protection against phishing and business email compromise and detection of compromise features.
Implement multiple authentication on all online accounts that provide them to prevent account take over.
Implement procedures to authenticate financial requests or data transactions and move high risk transactions to a secure portal (s).
While technology tools are very important in protecting against BEC, they won’t be of any help if we don’t know how to use them; so integrate email security awareness and training among users in your business.
Lastly, learn to follow your intuition. If it is too good to be true then be wary. And if it moves and chuckles like a duck, may be it is a duck. Be Wary.
Sometimes we get absolutely uneasy to do things of a certain magnitude online; that’s not an awkward feeling.
It is normal. Listen to your heart and still go the traditional normal ways of verification forexample calling a person you want to send money to and noting down their account details can save you a huge economic loss to BEC.