Business Email Compromise Notice
Business Email Compromise (BEC) is a form of email exploit where an attacker impersonates a person of assumed trust such as a supplier or your senior executive, to defraud your organisation.
Protecting against BEC is critical to safeguard your organisation against financial losses and other fraudulent activity. The following are some guidelines to help you defend against BEC attacks:
BEC is a form of email exploit where an attacker impersonates a person of assumed trust such as a supplier or your senior executive, to defraud your organisation.
Protecting against BEC is critical to safeguard your organisation against financial losses and other fraudulent activity. The following are some guidelines to help you defend against BEC attacks:
- Be vigilant against phishing emails:
- Phishing emails often serve as the entry point for BEC attacks. Emails may appear to be from trusted sources but are not. Such emails would have an address closely matching a known email address. Only close scrutiny will reveal they are not.
- Never click on suspicious links or download or open attachments unless you are certain of their legitimacy.
- Never divulge PINs or passwords. The Bank will never request such information.
2. Verify payment requests - If you get an email requesting payment outside your usual working practices around financial transactions,
treat it with caution:
- Always verify payment requests received via email, especially if they involve changes to bank account details of a known supplier / customer;
- Confirm payments and/or any changes directly with the sender using a trusted communication channel (e.g., phone call on number held in your records). Never seek confirmation of payments by replying directly on the mail thread received;
- The email may request you to act urgently. Be suspicious of words like 'send these details within 24 hours' or 'you have been a victim of crime, click here immediately'.
- Protecting email accounts - BEC may be facilitated when an attacker gains access to your email account. Therefore:
- Set up alerts for login attempts from unrecognized devices or locations;
- Where possible, enable multi-factor authentication (MFA) for email accounts to add an extra layer of security.
- Restrict editing and signing rights:
- Limit the number of employees who have editing and signing rights for financial transactions;
- Implement approval workflows to ensure proper authorization of payments.
- Spot differences in e-mail addresses:
- Train employees to spot subtle changes in email addresses (e.g., misspelled domain names);
- Treat with caution email addresses having discrepancies between “reply” and “from” email addresses.
- Provide suitable training:
- Conduct regular suitable awareness training for your employees;
- Increase awareness with respect to recognizing suspicious emails.