Four tips to avoid business email compromise attacks in your organisation


Gaps in organisations’ payment systems can have serious legal implications, says Ryan Mer from eftsure Africa.

According to a global survey conducted by Mimecast Cyber Security Services, in 2020, six out of ten companies globally were infected with ransomware and there was a 64 percent increase in email threats.

Furthermore, an Accenture report from May 2020 showed that South Africa had the third most cybercrime victims globally, resulting in losses topping R2.2 billion.

The data is therefore clear that business email compromise (BEC) and cyber-attacks are on the increase.
Conveyancing firms, their clients, and other organisations effecting many large non-recurring type transactions are particularly vulnerable to BEC fraud, according to Ryan Mer, managing director of payment platform provider, eftsure Africa.

“Gaps in organisations’ payment systems not only pose massive financial and reputational risks, but can have serious legal implications as well,” he says.

“All too aware of large deposits made to and from conveyancing firms, criminals target and intercept email accounts and scam victims into making payments into the incorrect account,” he adds.

The Financial Intelligence Centre Act (FICA) and Protection of Personal Information Act (POPIA) legally require attorneys and estate agents to responsibly gather and scrutinise an individual’s information, however BEC remains a threat.

In South Africa there are case precedents for firms being held liable for payments that did not reach the intended recipient; a situation that demands email correspondence containing bank details and personal information be handled with caution.

In circumstances where organisations are unable to meet their financial obligations as a result of a BEC attack, third parties may seek compensation for disrupted business operations and other losses, particularly where a firm is found to be in breach of its duty to take adequate measures to mitigate the risks of BEC attacks.

Ryan says, “It’s critical that attorneys and clients should take additional care in verifying account details before making payments and should be made immediately aware of sudden changes in email addresses and bank details.”

Fortunately, most threats can be avoided with the correct financial controls as well as server, IT and email monitoring processes together with the following measures:

  1. Keep up to date with the latest scams and ensure your employees, colleagues and trading partners are aware of how they work in practice;
  2. Review your company practices in relation to password and security controls. Never share passwords across multiple sites or permit weak passwords;
  3. Acknowledge the fact that employee email accounts are gateways to sensitive information and attacks and enforce policies restricting what information can be kept in email inboxes prior to secure archiving; and
  4. Re-evaluate your financial procedures for approving payment release and use a platform that can help limit the risks of BEC attacks by cross-referencing the payments an organisation is about to release with a database of verified bank account details.

Related articles