Choose the content you want

Get business inspiration and practical tips straight to your inbox 

Criminals can use the summertime to target businesses, so it’s a good idea to be extra vigilant at this time of year.

The security group CSIS has warned that the summer months are ‘high season’ for business email compromise (BEC) attacks, and businesses with multiple staff members on holiday are especially susceptible.

Small and medium-sized enterprises (SMEs) using software packages such as Microsoft Office365, without multifactor authentication controls, are particularly vulnerable to this type of attack, says our fraud awareness specialist, John Allcock.

“Threat actors typically launch phishing campaigns impersonating online office suites, which contain links directing recipients to fake user login pages, where credentials are harvested,” he says. 

“They can then use access to business email accounts to impersonate staff, and request that payments are made to bank accounts which they control.”

Impersonation scams involve criminals impersonating senior members of staff and asking employees to make bogus payments to bank accounts they control.

These scams are widespread and it’s important that businesses educate their staff to impersonation threats.

Take action to protect your business against BEC attacks

  1. Ensure that multi-factor authentication is activated when using online office suites
  2. Establish a two or three-layer approval process for money transfers 
  3. Create awareness about BEC fraud, with special focus on departments such as accounting, procurement and payroll 
  4. Consider what contact and employee information is shared on your website or social media channels
  5. Employ an effective spam, web and DNS filter 
  6. Be careful with auto-response emails and don’t share non-critical information about holidays, including location and duration, on social media 
  7. If in doubt about an email you receive, call the sender and confirm by phone 

BEC invoice authentication fraud

Criminals are also combining different fraud attacks to create a sophisticated new scam targeting businesses.

The criminal sends an invoice request to a target, who is often working in the finance team of the victim organisation, but crucially the fraudster copies in the target’s boss in the email, using a bogus email domain resembling the boss’s real one.

The fraudster, pretending to be the target’s boss, then replies to the email and insists that the invoice is paid immediately.

Thinking they are receiving a direct instruction from their boss, the target pays the fraudulent invoice, unwittingly sending money to an account controlled by the fraudster.

“It’s very easy to be caught out by this type of scam, so it’s a good idea to remind staff to always double-check all email addresses are genuine,” says John. “If in doubt, staff should confirm their boss’s instructions in a phone call.”

Educate all your employees about impersonation fraud

Every single person in your business can help prevent fraud and keep your business safe. Anyone can be a target at any time of the year, so it’s vital to educate all employees, not just those who manage finances. 

This material is published by NatWest Group plc (“NatWest Group”), for information purposes only and should not be regarded as providing any specific advice. Recipients should make their own independent evaluation of this information and no action should be taken, solely relying on it. This material should not be reproduced or disclosed without our consent. It is not intended for distribution in any jurisdiction in which this would be prohibited. Whilst this information is believed to be reliable, it has not been independently verified by NatWest Group and NatWest Group makes no representation or warranty (express or implied) of any kind, as regards the accuracy or completeness of this information, nor does it accept any responsibility or liability for any loss or damage arising in any way from any use made of or reliance placed on, this information. Unless otherwise stated, any views, forecasts, or estimates are solely those of NatWest Group, as of this date and are subject to change without notice. Copyright © NatWest Group. All rights reserved.

scroll to top