• Business email compromise and impersonation fraud occurs when a criminal impersonates the CEO or other high-ranking official within an organisation to convince an employee to make an urgent payment to the criminal’s account.
• According to UK Finance’s 2021 report, Fraud: The Facts, organisations in the UK lost £10.4m to Business email compromise fraud in 2020
• While companies may be alert to spam and phishing emails containing easy-to-identify grammatical and spelling errors, business email compromise fraud is a one-on-one operation that targets chosen organisations and individuals.

An urgent email arrives from a senior member of staff demanding funds. What should you do? Despite the risks it poses to cash flow, many companies are not equipped to protect themselves or spot so-called business email compromise and impersonation fraud.

Business email compromise fraud occurs when a criminal poses as a senior person within an organisation and sends a very plausible-looking request to another member of staff. The scam continues with the fraudster asking the recipient to make an urgent payment to a specified beneficiary, bypassing normal procedures because of exceptional circumstances – for instance, that an early payment discount will be missed if funds are not transferred immediately. 

Wage redirection fraud is another type of impersonation scam, which occurs when a criminal contacts the employee’s payroll or HR department pretending to be an employee, and asks for their bank account details to be changed to a new account.  

In both cases, the attacker must impersonate a senior staff member and interact with the target, which often requires research and planning to make their email correspondence look as if it has originated from a real member of staff, including using their email signature. 

In reality, the fraudster has spoofed or hacked the relevant email account, and if the request isn’t verified independently, the company risks paying funds such as the employee’s salary directly into the criminal's bank account.

Unlike many email scams, business email compromise and wage redirection are targeted. While companies may be alert to spam messages containing easy-to-identify grammatical and spelling errors, business email compromise fraud is a one-on-one operation aimed at chosen organisations and individuals.  

“The information age has led to a proliferation in cyber attacks and a growing level of sophistication,” says James Maycock, Forensic Partner at KPMG. 

“Many attacks to date have used tried-and-tested exploits, mixing traditional social engineering with known software vulnerabilities, including phishing attacks, which target employees in large organisations or government offices for financial gains. 

“Great care is taken by the fraudsters to make sure the emails they send look like they have come from a senior figure in the company.  

“Add to this the fact that targets are carefully chosen to be important enough to sign off on substantial sums – particularly staff who work in the accounts department. The fraudsters are good at keeping up the pressure on the unsuspecting targets to act quickly. This stops them getting suspicious until the payment is made.” 

Much of the information needed for the crime, such as the name of a firm’s accountant, CEO and head of finance, are easily available online to fraudsters via Companies House, a firm’s own website or on social media. Significantly, this type of fraud can be for a sum that is substantial but not large enough to attract attention.

There are a number of simple steps that organisations can take to diminish the risk financial losses due to business email compromise fraud. 

1. Deploy phishing simulation programmes that specifically target financial users and ensure browsers, operating systems, firewalls and anti-virus or malware software are all up to date. 
2. Look for inconsistencies in language and presentation, and whether the email address changes when the user hovers a cursor over it or looks at its properties. 
3. Train HR teams and other employees to spot new tactics in phishing attempts. John Allcock, our Fraud Awareness Analyst, says good staff training and preparedness, as well as an open company culture, are vital in preventing this type of email fraud. “It goes back to having a culture where you can challenge the authenticity of the email and don’t take the email at face value and pay the funds away,” he says. 
4. Check and check again when financial requests are made. David Mount, Director at security software group Cofense, says: “Robust financial controls are essential to preventing losses from business email compromise fraud, particularly appropriate checks and balances around payments to previously unknown sources.”
5. Contact your bank and Action Fraud immediately if your organisation falls victim to business email compromise fraud.