In a recent media release, SABRIC, the South African Banking Risk Information Centre, on behalf of the banking industry informed bank customers about a scam known as ‘Business Email Compromise’ (BEC) where criminals literally ‘steal money by asking for it’. This scam targets specific employees in organisations who are authorised to transfer funds or make payments.
‘Digital technology, combined with social engineering which exploits our human tendency to be compliant when faced with a directive from an authority figure, enables criminals to perpetuate this type of crime’, says SABRIC acting CEO, Susan Potgieter.
Criminals utilise information obtained from company websites and/or other digital platforms to identify the details of CEO’s, Financial Directors and other key senior individuals. They then impersonate these individuals by sending electronic requests via email or text message to junior staff in the accounting or finance function requesting that an urgent payment be made to a specific beneficiary.
Another way criminals glean information to perpetuate this crime is through phishing attacks, where users are sent emails containing malicious links and are then manipulated into clicking on them to install malware. This malware is designed to access the network and monitor mailboxes to enable criminals to learn about payment patterns, who the role players are and to understand individual communication styles, including typically used words or phrases. This is to ensure that when a criminal impersonates the person issuing the directive to make a payment, it comes off as authentic and does not arouse any suspicion.
By the time the employee realises that funds have been paid into the incorrect account, it is too late as criminals use accounts belonging to ‘money mules’, who open accounts for this purpose, and then further launder the money by quickly moving it into other accounts.
SABRIC advises organisations to deploy multi-tiered risk mitigation strategies to prevent Business Email Compromises. These should include digital resilience mechanisms such as intrusion detection, penetration tests and firewalls, robust policies and procedures with inherent checks and balances, as well education and awareness for staff.
Click here to download SABRIC’s tips to ensure that you are your money’s best protection.
