Johnny Truter 

International cybersecurity experts, including the United States-based Abnormal Security, have observed that Business Email Compromise (BEC) attacks increased by 81% in 2022 and 175% over the past two years. 

BEC is an advanced phishing scam that impersonates people, organisations or entities the victim knows. It works by manipulating e-mail addresses, so the sender appears legitimate. The most common victims of BEC are companies that use online transfers to send money to international clients. The following are typical examples of BEC and how to prevent these attacks:

Fraudulent invoices

 By impersonating vendors or other account representatives, scammers can trick people into sending funds to fraudulent accounts. This tactic is often used by sending fake invoices that look almost exactly like an invoice the victim typically receives.

CEO fraud

This fraud involves a cybercriminal attempting to impersonate a company’s senior management and requesting online transfers of money or confidential information.

Account takeover

When someone falls victim to a phishing attack, they may lose control of their email account. This ploy allows the attacker to distribute phishing emails to the victim’s contact list. Since the recipient recognises the account, they will likely engage with the attacker.

 Employee data theft

Those who work in bookkeeping or human resources have access to employee information. Cybercriminals often target those people in hopes of stealing data, such as full names, national Identity Document numbers, home addresses and phone numbers.

Prevention and vigilance are key in fighting fraud

Customers can prevent these attacks by slowing down and carefully inspecting the sender’s email address. Scammers often create addresses that appear to be legitimate but contain slight variations, such as the way names and account names are spelled. The following are some more examples to consider: 

Paying attention to the tone

When you email regularly with someone, you are likely familiar with how they communicate. An unusual tone equates to an untrustworthy email.

Avoiding attachments 

Email attachments represent one of the most common ways malware gets distributed. Only open an attachment if you have confirmed it is safe.

 Verbally confirming

Suppose you receive a request for money or confidential information. Establishing with the sender via an alternative method is always a good idea before complying with the request.

Most importantly, to safeguard finances from fraudsters and for self-protection, customers should never share personal and account information, especially their banking Personal Identity Number (PIN), by telephone, email or the Internet. They should also know that banks like Bank Windhoek will never ask them to confirm their personal information over the phone. If they receive a transaction notification that they did not do, customers should call their respective bank and stop all transactions. 

Vigilance against fraudster tricks and scams remains one of the most effective defences to curb theft and fraud. Customers who fall victim to a scam or suspect being targeted in a hoax should contact the Bank Windhoek Customer Contact Centre at 061 299 1200 to report the incident immediately.

 *Johnny Truter is Bank Windhoek’s manager of Forensic Services.