Lately, we have detected an increase in relation to the fraud known as ‘Business Email Compromise’. This is related to the scam also known as ‘invoice payment redirection fraud’. We have found the increase in recent consultations from our clients, as well as in current professional surveys (such as the one you can consult here), and in scholarly articles published in the latest Spanish legal publications.
This scam has been well known in the technology world for many years, although the exponential increase in remote work – and in general in the use of digital tools – caused by the pandemic, is generating a clear increase in the number of this type of fraud.
1. What is ‘Business Email Compromise’ and how does it relate to invoice redirection fraud?
The computer scam known as ‘Business Email Compromise’ (also known as ‘Man-in-the-E-Mail’) involves the hacker breaking into a professional or business email inbox, usually by exploiting a computer weakness in the target company. After gaining access, the fraudster analyzes the messages in that email account and identifies those that may relate to financial transactions and payments in ongoing operations.
Once a commercial transaction of interest has been identified, the hacker sends an email from an email account created ‘ad hoc’, very similar to that of the customer/supplier, thus deliberately confusing the recipient, who believes he is in contact with his real business partner. Within the framework of these exchanges, the fraudster requests, with any excuse, a change in the method of payment of the latest outstanding invoices, usually in favor of a new bank account, obviously controlled by the fraudster.
The description of the scam may make it seem trivial, but it should be noted that the level of sophistication in this fraud can be very high. Hackers are able to copy invoices and other commercial documents identically. On the other hand, after analyzing the flow of communications between the parties, fraudsters are able to not only use the same language, but also to imitate the way of expressing themselves of the people involved in the communication, so that the victim does not realize that he or she is being deceived.
2. How can we protect ourselves against this fraud?
The solution to avoid this fraud is to implement a simple protocol for verifying the change of payment method apparently requested. Thus, when faced with any request for a change in the method of payment of an invoice or pending commercial transaction, it is advisable for the recipient to contact his point of contact directly through a different communication channel, other than e-mail.
For example, if we receive an email with these characteristics, we will make a phone call (or a video call, or send a WhatsApp, or a fax, etc.) to its apparent sender, asking for confirmation of the request. Thus, in a simple and quick way, we will be able to clarify whether the change in the payment method is real, or whether it is due to a fraud attempt.
Of course, another way to protect ourselves is to have the highest possible level of IT security, particularly on our mail servers, by ensuring that our company has the latest security updates and maintenance services in place. This aspect is essential, although not as obvious as it may seem at first glance, as hackers take advantage of these vulnerabilities to break into our computer systems.
Of course, if our company, or our customer/supplier, falls victim to the fraud and wrongly makes a payment, this will have legal consequences not only for the criminal, but also for the commercial relationship between the parties, which will have to be analyzed on a case-by-case basis.
3. Speak with us
Should you have any query regarding this scam and its consequences, do not hesitate to contact us.