Business email compromise, commonly known as “BEC” has become a major issue in
the corporate world. Globally, this condition has been a challenge for the legal
authorities as to exactly who is liable for the damages caused by BEC. South African
companies are suffering under the weight of BEC crimes as the courts grapple with the
multitude of cases coming before them. This form of cyber attack is appearing in South
Africa as some of the highest around the world. As legal complications continue, South
African businesses are now turning their attention to methods they can use to protect their
finances and reputations.
The official definition of BEC is: “a criminal act where criminals illegally access an
email account and communicate as if they are the user”. In other words, it’s a situation
where a cyber criminal impersonates an official company/business for the purposes of
luring the recipient of the email into making some sort of financial payment into the
account of the criminal.
The problem with BEC is that it typically involves the “voluntary” acceptance of an
individual within the company of accepting an email and taking an action that gives
permission for a payment. The initial introductory email may appear to be from a
legitimate organisation and one that the recipient might be familiar with. These
“phishing expeditions” are successful mainly due to lack of education on the part of the
staff to question or even reject an email that might seem “dodgy”.
The financial impact globally has been estimated to be around $4.88 million. However,
it’s not just monetary losses that South African companies have to deal with as many
experience possible regulatory penalties (via the POPI Act for data breaches), loss of
proprietary data, and loss of reputation. The latter two can drive a company out of
business as they lose customers. BEC can catapult a company into a flurry of litigation
and forensic investigations which can be damaging beyond repair.
A high priority of focus of many South African businesses has been to bring in a cyber
security specialist company such as DaVinci Cybersecurity, to educate employees on all
aspects of cyber fraud to assist in avoiding BEC and other methods used by threat actors.
Criminals continue to change their methods of attack and organisations need to receive
consistent updates on the methods they use to attract employees and breach their systems.
Actions can be taken to assist in protecting a business:
- Ensuring that staff receive regular training on up-to-date actions that cyber
- criminals use so they can identify suspicious emails.
- Instituting MFA (multi-factor authentication) has become a gold standard as it
- adds another layer of email account security.
- The creation of strict protocols involving payments and funds transfers to include
- MFA.
- The use of sophisticated email security solutions that will stop potential criminal
- emails.
Sharon Knowles, CEO DaVinci Cybersecurity
“More and more companies are seeking our vast knowledge on business email
compromise and requesting help to educate employees and get recommendations on
proactive actions they can take to protect their organisations.”
Source:
www.ensafrica.com/news/detail/9762/business-email-compromise-
who-bears-the-risk
www.business.hsbc.co.za/en-gb/campaigns/cybercrime/business-
email-compromise
