We have recently observed a surge in incidents where cybercriminals attempt to defraud organisations by hacking into their email accounts and impersonating employees and third parties. This common type of scam is called Business Email Compromise (BEC), where intruders spend a prolonged time period spying on victims’ email communications with internal colleagues and third parties outside of the organisation. The aim of these criminals is to convince staff members of the victim organisation to transfer significant sums to a bank account that they control.
In March 2020, a financial services firm in Hong Kong lost HK$41 million in a BEC scam. Such a sum highlights the significant scale of the problem; this is not just low value fraud. The US Federal Bureau of Investigation revealed that BEC cost victims more than US$1.7 billion in 2019 alone, and it affected victims in 177 countries. We have seen this first-hand too. PwC’s Cyber Incident Response team in Hong Kong, which helps organisations respond to and recover from cyber attacks, has seen a spike in such cybercriminal fraud affecting Hong Kong and other locations in the APAC region in recent months.
While traditional BEC targets just one organisation, recent scams have shown a focus on hijacking communications among two or more partner companies. Organisations have been more vulnerable to such risks recently because most employees are working from home. This means that criminals are likely to succeed at capitalising on their victims’ limited coordination capability in relation to legitimacy checks.