When a business has its email accounts compromised, this is a form of cyber crime that often affects companies who interact with vendors and suppliers. A criminal will contact a business posing as a contractor with a fake invoice or fraudulent request for payment information to be updated.
Unlike standard phishing emails that are sent out indiscriminately to millions of people, these types of attacks are crafted to appeal to specific individuals, and can be even harder to detect. These attacks are typically sent to executives or budget holders within organisations to trick staff into transferring funds, or revealing sensitive information. This type of phishing attack is known as ‘Whaling’, as it targets the senior personnel in your organisation.
In this situation, the criminal may pose as an employee, manager or CEO within a company and send an email to an employee who works in a financial dept. and ask to update their bank account information for salary payments or to update payment information for a supplier which turns out to be a fraudulent account, often with a sense of urgency. This additional pressure of urgency, may make an employee act quickly without considering the legitimacy of the request.
In a lot of cases, this attack can also involve an attempt to compromise your email account through a phishing email. Once the account is compromised, the criminals use the unlawful access to obtain information about trusted contacts, exfiltrate sensitive information, attempt to redirect bank transfer payments, create fake and fraudulent invoices/payments or use the account to further support or facilitate more cyber crime.
As more employees return to the office, be especially aware of invoice or payment email requests. Always be sceptical of urgent and hurried requests to transfer money or pay invoices. If you are unsure of an email, verify these requests by contacting the sender by another means, such as by phone to confirm what is being asked.
Advice:
- The National Cyber Security Centre (NCSC) has produced an infographic that outlines this security threat and actions to avoid Business Email Compromise.
- Phishing attacks: defending your organisation
- NCSC advice on dealing with suspicious emails, phone calls and text messages
- Targeted phishing attack aimed at senior executives guidance.
You can forward any suspicious emails that you receive to the NCSC Suspicious Email Reporting Service (SERS) at report@phishing.gov.uk
Contact Police Scotland on 101 if you have been a victim of Business Email Compromise or any other fraud.