Business Email Compromise

Overview

Business Email Compromise (BEC) is a type of scam whereby a fraudster uses a compromised or fraudulent email account to deceive employees or clients into sending money, goods, or important information to third parties that controlled by the fraudster. It exploits the fact that many businesses rely almost exclusively on email correspondence to operate and deal with third parties. The fraudulent emails are very often, at a glance, indistinguishable from the original email it seeks to mimic / emulate.

If any of the scenarios described below sound familiar, it is very likely that you have been a victim of fraud and should take immediate action to avoid incurring additional losses. You can read our Guide on Cyber Fraud and Recovery in Hong Kong, which we hope will allow you to take the necessary steps before it is too late.

Method

The fraudsters use various methods to disguise and impersonate key decision makers (e.g. c-level executives, senior managers and other high-ranking executive titles in an organization) in order to fool the recipient (typically an employee) into performing some type of action (usually transferring sums of money).

Spoofing Email and Email Signature

Email spoofing is a technique commonly used to trick unsuspecting users into thinking a message came from a person or an entity they trust. The “spoofing” occurs when a fraudster creates an email message with a forged sender address designed to deceive the recipient into thinking the email really came from a specific instead of the actual (fraudulent) source.

Similar Domain Names

Fraudsters will often register a domain name similar to the one used by the business that they are targetting with the idea of taking advantage of characters that can be easily confused by one that is not paying close attention. For example, depending on the font of a given operating system, kpmg.com and kprng.com can look pretty much and could fool an employee who is not paying specific attention.

Hacked Email Accounts / Compromised Email Server

Compromised email accounts and server are another common vector of attack for fraudsters. An email sent from a compromised account is virtually indistinguishable from a real email and can cause real damage to any business afflicted by such a problem.

Scam Variants

We have listed below various situations that clients have encountered with their business.

Vendor Account Change Request

This is probably the most common scam which involves the fraudsters passing themselves of as a known vendor and requesting that an existing invoice be settled using a different bank account which unbeknownst to the targetted company belongs to the fraudsters.

Fraudulent Wire Transfer

The fraudster, posing as a manager or an executive, would request the accounting department of the targetted company to wire transfer funds for a special project.

Gift Cards

This is another common variant where the fraudster sends an email to an unsuspecting employee requesting that gift cards be purchased for a random reason (e.g. birthday or award ceremony). Thereafter, once the cards have been purchased, the fraudster invents an additional reason and request the said employee to provide immediately the gift card numbers and pins.

Important Tips

Keep a Record of Everything

Anything connected to the scam, keep a record of it. The police often relies on the chat records, telephone number, the screenshots of the website, and documents sent during the course of the scam to build their case against the fraudsters.

Report to the Police only the Relevant Parts

Very often, we see police reports that have been filed by clients that are incomplete; they focus on all the wrong things that not particularly relevant to your case. We have prepared a guide on how to file an online report with the Hong Kong Police.

Time is of the Essence

It is important not to waste time and make sure that the scam is reported immediately to the relevant authority.

Additional Questions

If you have additional questions which are not addressed here or wish to schedule an appointment to discuss your case, please contact us by telephone on +852 2176 4777 or by email at [email protected].

Was your Company a victim of BEC?