Kindly Treat as Urgent: How Hackers Use Emails to Steal Millions

March 7, 2025
Vivian Omeh

Ever heard of email scams that don’t need attachments, malware, or even dodgy links? Welcome to the cunning world of Business Email Compromise (BEC), where hackers use personalized emails and social engineering to trick employees into transferring company funds. With the rise of remote work, BEC attacks are surging, proving that sometimes the most dangerous emails are the ones that look perfectly normal.

Business Email Compromise (BEC), also known as Email-Account Compromise, is an email information seeking scam, whereby, an attacker targets a business to defraud the business. This type of attack takes place over emails and it is personalized to the intended victim and often involves standard research of the organization it is targeting. The attacker cunningly sends an email message to trick the victim into performing some actions, most often, transferring money to an account the attacker controls. 

Types of Business Email Compromise Scam

  1. One common strategy is data theft, where attackers specifically target HR personnel to steal valuable employee data, such as personal information or work schedules. This stolen data can then be leveraged for subsequent attacks.
  2. Another prevalent tactic is account compromise, in which attackers gain unauthorized access to employee email accounts. Once inside, they can impersonate employees and contact vendors, suppliers, and partners, fraudulently requesting payments.
  3. CEO fraud is yet another deceptive technique, where attackers impersonate high-ranking executives, such as CEOs. They typically target lower-ranking employees or finance departments, sending emails that urgently request fund transfers to fraudulent accounts.
  4. Similarly, lawyer impersonation involves scammers posing as legal representatives. They often contact employees with urgent financial matters, creating a sense of pressure to comply with their demands. This tactic frequently targets top executives, especially towards the end of the business day or work week when they may be less vigilant.
  5. Finally, the false invoice scam involves attackers masquerading as legitimate employees. They send fake invoices via email, requesting fund transfers to fraudulent accounts. Source

     Best Practices for preventing BEC Attacks

The following strategies are essential practices to protect organizations against Business Email Compromise (BEC). 

  • Use strong password and multi-factor authentication for devices and email accounts to add as an extra layer of security. 
  • Implement real-time monitoring of financial transactions, especially for large transfers. Set up alerts for any irregular payment request or transaction above a payment limit.
  • Educate business partners and suppliers about business email compromise risk. Also, ensure a secure communication channel to reduce the chance of them falling into an impersonation scam.
  • Establish an incident response plan to guide employees on how to report and handle BEC scam promptly. 
  • Monitor and protect your organization’s domain name from look-alike domains to avoid deceiving employees. Consider registering similar domain names to prevent attackers from using them. 

Real life example and case study of BEC scam

During the Covid pandemic, a cybercrime group called Lilac Wolverine emerged in Nigeria. They preyed on businesses in Western countries by flooding them with scam emails, a tactic known as business email compromise. Their strategy involved hacking personal accounts, creating fake webmail accounts that looked legitimate, and using emotionally charged themes like cancer and Covid to manipulate their victims. They would target up to 50 enterprise users in a single campaign, concealing the targeted email addresses using blind carbon copy (BCC) to avoid detection.

Lilac Wolverine also specialized in vendor email compromise attacks. They would hack into the email account of a high-value vendor or supplier and use that account to target employees at other companies. They would then send an email to the employee asking for a favor in a friendly way, often referencing Covid-19 or personal issues the employee might be facing. Source

Conclusion

The Business Email Compromise (BEC) scam is a serious threat to all organizations, regardless of size, reputation, or industry. Due to the increasing reliance on technology in the workplace, this scam is expected to grow and spread. Organizations should proactively confront and prevent this threat by educating employees through training and providing software assistance to mitigate its occurrence.

Source

  • 357 views
  • Share
  • Tags
BEC scam preventionBusiness Email CompromiseCEO fraudcyber threat awarenessemail phishing attacksfinancial fraud protectioninvoice fraud preventionmulti-factor authentication securitysocial engineering scamsvendor email compromise

Related Posts

March 7, 2025
How AI is Shaping Africa’s Digital Governance
While Service-Wise GPT represents a significant step forward in digitizing Nigeria's public sector, the introduction
African AI Council AI for government efficiency
February 3, 2025
AI-powered Influencers: Reimagining Digital Interactions
If Meta’s AI Influencers continue to multiply, we might be heading towards a dead internet,
February 3, 2025
Intel Wrap – January 2025
Experts warn that AI tools make celebrity scams more convincing. With access to celebrity images
AI-generated fraud celebrity impersonation fraud

Subscribe to our newsletter

Stay informed. Get the latest news and updates around digital security

SafeOnline is building digital resilience in Africa’s civil Society space

Twitter Youtube Instagram
Quick Link
Contact Info
  • help@cchub.africa
  • +2349030124390
    (WhatsApp and Signal only)
SafeOnline© 2022 All Rights Reserved

SafeOnline by CcHUB is licensed under Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International

Privacy policy
Terms of Use
Scroll to Top