Business emails compromise and impersonation: is your organisation ready to tackle the threat?

Business email compromise fraud cost UK businesses more than £10m in 2020 alone.

Key takeaways

  • Business email compromise and impersonation fraud occurs when a criminal impersonates the CEO or other high-ranking official within an organisation to convince an employee to make an urgent payment to the criminal’s account.
  • According to UK Finance’s 2021 report, Fraud: The Facts, organisations in the UK lost £10.4m to Business email compromise fraud in 2020
  • While companies may be alert to spam and phishing emails containing easy-to-identify grammatical and spelling errors, business email compromise fraud is a one-on-one operation that targets chosen organisations and individuals.

An urgent email arrives from a senior member of staff demanding funds. What should you do? Despite the risks it poses to cash flow, many companies are not equipped to protect themselves or spot so-called business email compromise and impersonation fraud.

How impersonation scams work

Business email compromise fraud occurs when a criminal poses as a senior person within an organisation and sends a very plausible-looking request to another member of staff. The scam continues with the fraudster asking the recipient to make an urgent payment to a specified beneficiary, bypassing normal procedures because of exceptional circumstances – for instance, that an early payment discount will be missed if funds are not transferred immediately. 

Wage redirection fraud is another type of impersonation scam, which occurs when a criminal contacts the employee’s payroll or HR department pretending to be an employee, and asks for their bank account details to be changed to a new account.  

In both cases, the attacker must impersonate a senior staff member and interact with the target, which often requires research and planning to make their email correspondence look as if it has originated from a real member of staff, including using their email signature. 

In reality, the fraudster has spoofed or hacked the relevant email account, and if the request isn’t verified independently, the company risks paying funds such as the employee’s salary directly into the criminal's bank account.

What are the risks to your organisation?

Unlike many email scams, business email compromise and wage redirection are targeted. While companies may be alert to spam messages containing easy-to-identify grammatical and spelling errors, business email compromise fraud is a one-on-one operation aimed at chosen organisations and individuals.  

“The information age has led to a proliferation in cyber attacks and a growing level of sophistication,” says James Maycock, Forensic Partner at KPMG. 

“Many attacks to date have used tried-and-tested exploits, mixing traditional social engineering with known software vulnerabilities, including phishing attacks, which target employees in large organisations or government offices for financial gains. 

“Great care is taken by the fraudsters to make sure the emails they send look like they have come from a senior figure in the company.  

“Add to this the fact that targets are carefully chosen to be important enough to sign off on substantial sums – particularly staff who work in the accounts department. The fraudsters are good at keeping up the pressure on the unsuspecting targets to act quickly. This stops them getting suspicious until the payment is made.” 

Many attacks mix traditional social engineering with known software vulnerabilities, including phishing, which targets employees in large organisations or government offices for financial gains

James Maycock
Forensic Partner, KPMG

Much of the information needed for the crime, such as the name of a firm’s accountant, CEO and head of finance, are easily available online to fraudsters via Companies House, a firm’s own website or on social media. Significantly, this type of fraud can be for a sum that is substantial but not large enough to attract attention.

How to stay safe

There are a number of simple steps that organisations can take to diminish the risk financial losses due to business email compromise fraud. 

  1. Deploy phishing simulation programmes that specifically target financial users and ensure browsers, operating systems, firewalls and anti-virus or malware software are all up to date. 
  2. Look for inconsistencies in language and presentation, and whether the email address changes when the user hovers a cursor over it or looks at its properties. 
  3. Train HR teams and other employees to spot new tactics in phishing attempts. John Allcock, our Fraud Awareness Analyst, says good staff training and preparedness, as well as an open company culture, are vital in preventing this type of email fraud. “It goes back to having a culture where you can challenge the authenticity of the email and don’t take the email at face value and pay the funds away,” he says. 
  4. Check and check again when financial requests are made. David Mount, Director at security software group Cofense, says: “Robust financial controls are essential to preventing losses from business email compromise fraud, particularly appropriate checks and balances around payments to previously unknown sources.”
  5. Contact your bank and Action Fraud immediately if your organisation falls victim to business email compromise fraud. 

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top