When a business has its email accounts compromised, this is a form of cyber crime that often affects companies who interact with vendors and suppliers. A criminal will contact a business posing as a contractor with a fake invoice or fraudulent request for payment information to be updated.
Unlike standard phishing emails that are sent out indiscriminately to millions of people, these types of attacks are crafted to appeal to specific individuals, and can be even harder to detect. These attacks are typically sent to executives or budget holders within organisations to trick staff into transferring funds, or revealing sensitive information. This type of phishing attack is known as ‘Whaling’, as it targets the senior personnel in your organisation.
In this situation, the criminal may pose as an employee, manager or CEO within a company and send an email to an employee who works in a financial dept. and ask to update their bank account information for salary payments or to update payment information for a supplier which turns out to be a fraudulent account, often with a sense of urgency. This additional pressure of urgency, may make an employee act quickly without considering the legitimacy of the request.
In a lot of cases, this attack can also involve an attempt to compromise your email account through a phishing email. Once the account is compromised, the criminals use the unlawful access to obtain information about trusted contacts, exfiltrate sensitive information, attempt to redirect bank transfer payments, create fake and fraudulent invoices/payments or use the account to further support or facilitate more cyber crime.
As more employees return to the office, be especially aware of invoice or payment email requests. Always be sceptical of urgent and hurried requests to transfer money or pay invoices. If you are unsure of an email, verify these requests by contacting the sender by another means, such as by phone to confirm what is being asked.
Advice:
- The National Cyber Security Centre (NCSC) has produced an infographic that outlines this security threat and actions to avoid Business Email Compromise.
- Phishing attacks: defending your organisation
- NCSC advice on dealing with suspicious emails, phone calls and text messages
- Targeted phishing attack aimed at senior executives guidance.
You can forward any suspicious emails that you receive to the NCSC Suspicious Email Reporting Service (SERS) at [email protected]
Contact Police Scotland on 101 if you have been a victim of Business Email Compromise or any other fraud.
Related content
Online dating has become a very popular way to meet someone new.
The majority of accounts on dating websites are genuine people looking for romance, but fraudsters have been known to target those looking for love.
Cyber criminals “meet” people on dating sites, then take the conversation onto private messaging, build up a picture of their victim, then take any opportunity to steal money from them. Criminals who commit romance fraud trawl through profiles and piece together information such as wealth and lifestyle, in order to manipulate their victims.
Black Friday and Cyber Monday have quickly escalated to be the peak pre-Christmas sale. While this benefits those shopping for Christmas, it has opened new avenues for cyber criminals to target their victims. As our inboxes are flooded with promotional emails and discount codes, it can become difficult to distinguish genuine emails from scams.
So, whether it’s Black Friday, Cyber Monday or any other day, online shoppers must be vigilant when making purchases. We’ve set out our top tips to help protect you this season from criminals and scams:
We’ve seen a rise in the number of fraudsters targeting businesses using telephone scams and using new approaches in an attempt to catch businesses off guard.
They will call and purport to be a member of bank staff, telling you there are suspicious transactions appearing on your business account. They’ll claim to be calling to make sure that any fraudulent transactions don’t go through.