BEC Costs UK Firms £140M Over Past Year

Reported business email compromise (BEC) incidents have hit 4600 cases over the past 12 months, costing individuals and businesses £138m in losses, according to new figures from the UK’s National Economic Crime Centre (NECC).

The government body is working with the National Crime Agency (NCA), City of London Police, banking group UK Finance and fraud prevention non-profit Cifas on a new campaign to raise awareness of the crime, also dubbed “mandate fraud” or “payment diversion fraud.”

It claimed that the average amount lost over those 4600 cases was £30,000, with criminals typically impersonating others and creating or amending invoices to trick victims into diverting money to accounts under their control.

Often, legitimate email accounts are hijacked via phishing or impersonated using techniques like typosquatting to add legitimacy to the money transfer request.

The NECC claimed that spikes in fraud usually occur in March and November, to coincide with financial year-ends.

“Payment diversion fraud is increasing, and it is vital that people are alive to the threat. Small and medium-sized businesses are most at risk due to less comprehensive IT security, but these criminals will also target home-buyers due to the scale of the transactions,” said NECC fraud threat lead, Jon Shilland.

“Whenever you are making a payment to a supplier or your solicitor in the case of a house purchase, you should be highly suspicious of any change in account details or new instructions. Always check with a trusted known contact, and if you have any doubt do not transfer the money.”

BEC has been the highest-earning cybercrime type for the past two years, according to the FBI.

According to the Feds’ annual Internet Crime Report, victims lost almost $1.9bn last year off the back of around 19,300 reported incidents. That amounts to nearly half the $4.2bn total lost to cybercrime during the period.

Tell-tale signs of BEC to look out for include an urgent request to transfer money, new payment details for a supplier, and spelling mistakes or inconsistent language used in the sender’s email.

What’s Hot on Infosecurity Magazine?