Business email compromise (BEC), sometimes called email account compromise (EAC) or payment diversion fraud (PDF), is fast becoming one of the most financially damaging crimes facing the commercial sector. In this article we examine both the nature of this crime and the potential to recover the financial losses arising from it.
What is BEC fraud and how does it happen?
Simply put, BEC fraud is the use of email in a business or commercial context to achieve a financial gain by deception.
BEC fraud invariably involves the impersonation of an individual and/or company of which the recipient is aware or familiar, through the medium of email and the leveraging of a pre-established relationship or expectation. Sometimes the scam email can seek information which can then be used to facilitate theft, while on other occasions it can seek to elicit a direct payment.
The fraudsters plan their attacks in advance, gathering as much information as they can in order to produce target specific emails with an air of legitimacy and credibility. With significant amounts of information about a company and its personnel being published online, often on its own website, this task is made much easier. Moreover, a casual reference in a scam email to another member of staff, can sometimes be all that it takes to convince the busy recipient into believing the email is genuine.
The scam typically starts with a phishing email sent to an employee’s email address, allowing the fraudsters access to financial information, calendars and data which provides them with the information they need to carry out the fraud. Sometimes fraudsters use ‘malware’ (malicious software) to infiltrate a company’s networks to gain access to information, such as legitimate email threads, accounting information and names of suppliers, all of which can then be used to support the fraud.
With the ability to utilise copied logos, email footers and other information consistent with a genuine email, spotting a sophisticated fraudster who is impersonating a genuine sender can be very difficult, particularly when very similar email addresses are used. Indeed, with a relatively limited chance of arrest, and a wide opportunity to experiment, the determined fraudster is likely to become increasingly adept at pulling the wool over unsuspecting eyes.
A prime example of the developing sophistication of fraudsters is the advent of ‘Friday afternoon Fraud’. This has become particularly prevalent amongst property conveyancers, where fraudsters began timing their attacks for the end of the working week, when the pressure to complete transaction is highest and when, as a result of either natural or self-induced fatigue, vigilance is often at is lowest.
Business email compromise examples
There is really no limit to the different forms that BEC fraud can take. However, some actual business email compromise examples include:
- A BEC attack reported by The Guardian in 2017 where the fraudsters used the email address of a member of staff at a firm of conveyancing solicitors, to instruct the purchaser of a residential property to transfer deposit monies totalling £74,837 to different bank accounts, under the pretence that the firm’s usual account could not receive Chaps or Bacs payments.
- A BEC attack reported by Tripwire in 2019 in which Evaldas Rimasauskas, a Lithuanian national, sent emails to Facebook and Google claiming to be from one of their hardware suppliers, with forged invoices and fraudulent contracts. This deception caused the technology giants to transfer payments in excess of $100 million, into bank accounts he had set up in the bogus company’s name in Cyprus and Latvia.
- A BEC attack reported by the Wall Street Journal in 2021 where fraudsters hacked into the email system of a company’s bookkeeper and then inserted themselves into existing email chains by using a similar email address to that of the company’s executive director. They were then able to siphon $650,000 from the company by sending one amended and two fake invoices to the director, seeking payments in relation to an intended loan.
- A BEC attack reported by the Australian Federal Police in 2021 where offenders who claimed to be employees sent internal invoice emails to the company’s finance department, but with altered bank details. The business then processed two payments within a few days, firstly transferring $519,545 and then $2,148,938 to a Singaporean bank account. The BEC attack was then discovered after the second transfer.
- A BEC attack reported by Europol in 2021, concerning a criminal group who created fake emails and webpages, similar to those of legitimate wholesale companies, offering to sell protective materials after the outbreak of the COVID-19 pandemic. However, the goods ordered were never delivered and the proceeds received in advance were swiftly laundered.
Business email compromise statistics
Both the prominence and success of business email compromise relies upon and exploits the fact that email remains the most utilised form of written communication for business, with an estimated 316 billion emails being sent every day in 2021.
In the UK, BEC fraud is now costing business millions of pounds each year. In a blog report for the ISBL, Lloyds Banking Group confirmed that in the first four months of 2020, BEC fraud accounted for a massive 8 out of every 10 fraud attacks reported by its commercial customers. It has also reported that in 2018, BEC attacks increased by an astonishing 58%, having affected as many as half a million SMEs. Of these attacks, smaller firms were losing on average £27,000 per scam to impersonation fraudsters.
As is apparent from the business email compromise examples above, these attacks are not just a problem affecting businesses in the UK. In its 2020 Internet Crime Report the Internet Crime Complaints Centre (IC3) of the FBI recorded 791,790 complaints of suspected internet crime (a 69% increase on complaints received in 2019) and associated losses exceeding $4.1 billion. It also reported that of these complaints, 19,369 related to business email compromise, where adjusted losses totalled over $1.8 billion.
What is being done to combat business email compromise in the UK?
While it may come as little comfort to those who have already fallen victim to BEC fraud, for others who have been more fortunate, it may be reassuring to know that the National Crime Agency (NCA) is leading the UK’s fight against serious and organised crime, which includes business email compromise fraud.
Through the National Economic Crime Centre, a multi-agency task force which also includes officers and representatives from the Serious Fraud and Financial Conduct Authority (amongst others), the NCA is seeking to ensure that criminals defrauding British citizens, attacking UK industry and abusing UK financial services are effectively pursued. The NCA is also launching campaigns to ensure that UK industries and government agencies know how to prevent economic crime and that UK citizens are better protected.
How to detect a business email compromise attack
While prevention is almost always better than cure, when dealing with increasingly sophisticated fraudsters this can be easier said than done. That said, doing something is far more preferable to doing nothing and publicising the issue is often the first step.
However, in addition to being generally aware of the risks of a BEC attack, at an individual level it can be prudent to:
- Check for spelling mistakes – Get into the habit of checking for minor spelling mistakes in the addresses of the emails you receive.
- Verify any changes to payment details – If asked to change a supplier’s payment details, always telephone that supplier on the original number you have saved for them to confirm the changes.
- Beware of unexpected emails – Be cautious about opening any emails that you were not expecting (even if you think you recognise the sender), and do not click on any links or attachments unless you are confident they are genuine.
- Double check the sender is real – If you receive an email from a senior manager or a supplier asking you to make an urgent payment always double check the request is authentic by speaking to them, either in person or by telephone.
- Use anti-virus software – Always use reputable anti-virus software to protect your devices and keep it updated.
How to recover the financial loss from BEC fraud
The level of financial loss suffered as a result of a business email compromise attack is often significant, both in themselves and in proportion to the business’ operational activities. Although the money paid away can represent the only element of financial loss suffered, in other instances significant consequential losses can be incurred, which may include investigation, litigation and public relations costs.
While all of this can make the financial fallout difficult to ignore, in more severe cases, it can threaten a business’ very survival. The question therefore arises, whether anyone else can be held fully or partly responsible for this loss.
Where fraudsters obtain monies through a BEC attack, the chances of recovering those funds from them are relatively slim. Frauds of this type, by their very nature, involve moving the funds from the account into which they are deposited as quickly as possible and usually abroad, where the prospects of tracing them are extremely limited. Crypto-currencies are also being used increasingly to mask the banking trail. Consequently, even if an attack is spotted quickly after funds have been released, the company (or person) who has suffered the loss is less likely to recover the monies simply by having the recipient account frozen by the banking provider.
The insurance company
Insurance cover for cyber risks is now well established and can be purchased either as a stand-alone policy or as part of a wider insurance programme. Typically, these policies will provide cover for a range of first party and third party liabilities. These include the cost of forensic investigations, litigation expenses associated with the IT breach, regulatory defence expenses/fines, crisis management expenses, business interruption and cyber extortion. However, it does appear that insurance cover for the monies paid away in connection with a BEC attack is less readily available.
Clearly, not all businesses will have cyber insurance cover but, for those that do there will inevitably be terms and conditions attached which will need to be considered in order to determine the applicability and scope of cover. Those terms are also likely to dictate how and when a policy claim should be notified and a failure to comply with them could prove prejudicial.
The impersonated sender
The impersonated sender of the email, and whose IT network may have been hacked, presents an obvious potential target for a compensatory claim. It is surprising, therefore, that as yet this is not an area of liability that the courts in England and Wales appear to have addressed. However, given both the prevalence and the scale of this type of fraud, this is only likely to be a matter of time.
When the courts are asked to determine such claims, we anticipate that the final outcome will turn on the particular facts of the case, taking into account such issues as:
- The nature of the relationship between the sender and the recipient. Was this a ‘one off’ email sent by the sender, in which case, it may be more difficult for the court to conclude that a duty of care existed between them, or was there a history to their relationship, such that a court may be more willing to determine that a duty of care did exist?
- Did the recipient of the email miss a red flag which should have alerted them to the fraudulent nature of the request? For example, was there a clear error in the email address of the sender which, from their history of email exchanges, should have been obvious?
- Did the sender of the email ask the recipient to send funds to an account which was different to that used previously and, if so, should the recipient have double checked with the sender by some means other than replying to the email, such as by telephone?
- Had the sender of the email taken appropriate care with their IT systems to prevent them from being hacked, or was there a history of their systems being used in this way and upon which they had failed to act accordingly?
- Was the sender of the email negligent in allowing its IT systems or email to be compromised by clicking on ‘phishing’ emails, or in failing to educate its employees to be alert to such scams?
Whether or not these court decisions will then provide useful guidance in other cases is likely to depend not only on whether the facts are comparable, but also on whether the courts take an early opportunity to lay down any broad principles of law and practice. The latter we consider doubtful, and all the more so if the decisions rest only with the lower courts.
However, any success by claimant businesses in this arena is likely to receive significant publicity and may well embolden other victims to pursue similar action.
The transacting bank
BEC fraud is a type of Authorised Push Payment (APP) fraud and in our related article Authorised Push Payment Fraud: Can I claim for compensation? we explore the potential to claim compensation from the bank which handled the transfer of funds subject to the fraud.
The insurance broker
While an insurance broker retained by the business may not seem like an obvious source from which to recover the loss suffered from a BEC attack, it is one worthy of consideration. Depending on the circumstances, such recovery could take the form of a claim for damages for professional negligence. This could be the case if:
- The business has cyber insurance cover but the limits of indemnity are insufficient;
- The business has cyber insurance cover but it is limited in scope;
- The business does not have cyber insurance cover due to an error or omission on the part of its broker when arranging or renewing cover;
- The business does not have cyber insurance cover as a result of the broker’s failure to advise as to its availability and/or desirability.
Further guidance on pursing these types of claims can be found on our Claims For Insurance Broker Negligence webpage.
Sadly, the huge financial gains potentially available, combined with an abundance of opportunity and a relatively limited risk of prosecution or conviction, make business email compromise a positively irresistible enterprise for tech-savvy fraudsters.
This is certainly borne out by the available statistics, which show that this type of fraud is becoming increasingly prevalent and this will undoubtedly continue well into the future, despite the counter-measures deployed at state level.
While there is an array of pro-active steps that businesses can take both to protect and to insulate themselves from the risks associated with business email compromise, these will never provide a complete solution. Whether litigation through the courts will provide an avenue of additional protection is currently less clear, but it certainly has the potential to do so and it will be interesting to see on a case by case basis how the law develops in this area.
Further legal assistance
As professional negligence solicitors we act for clients nationwide, to resolve claims against a wide range of professionals, including claims against banks and other financial institutions.
In doing so, we rely on the unique insight and experience that we have gained over many years from previously advising many of the leading financial services institutions on industry claims, including claims arising from business email compromise attacks.
If you would like to arrange an initial consultation with us, free of charge or commitment, please do not hesitate to contact us on 0800 195 4983 or by email at email@example.com.