RGP Warns of Business Email Compromise Fraud

The Royal Gibraltar Police has recently received reports of Business Email Compromise (BEC) fraud which targets not just companies but charities too. This is a type of scam which targets companies, charities and even individuals who conduct bank transfers and possess corporate or publicly available email accounts of executives or high-level employees related to finance, or involved with bank transfer payments. These email accounts can be spoofed.

This means emails are sent to look like legitimate email accounts but often use deception to fool the recipient e.g. using a ‘vv’ instead of a ‘w’ in the address. Emails can also be compromised through key loggers that enter a person’s device through a virus which can be done when a link or attachment is clicked on from an email sent by the fraudsters. Information can also be obtained through phishing attacks where a false email is sent to trick the recipient into giving the fraudsters the information they need to commit the fraud.

BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives by impersonating a person in the organisation authorised to conduct bank transfers. Fraudsters will carefully research and closely monitor their potential target victims and their organisations.

The opportunity for these types of scams to occur has increased at a time when employees are working from home in the current COVID 19 climate and when people communicate more by electronic means than by talking to each other.

The RGP says that both businesses and charities should consider having safeguards and policies in place, such as a confirmation phone call which allows the employee responsible for conducting the bank transfer to be able to contact the requesting party via telephone to confirm the transaction using already known/ preapproved contact details. A few minutes in confirming with the person who is supposed to be requesting the transfer can prevent the success of this type of fraud.

A statement continued: “We live in busy times where online communication and banking allows for the rapid requesting and sending of funds worldwide and this is the very thing that the fraudsters are targeting. Accounts will usually be in foreign jurisdictions and, once funds have left Gibraltar, it will often be difficult for the bank or the police to recover these monies if action is not instigated immediately.

“Individuals can also fall victim to these types of fraud and should be aware of tactics used by offenders when making purchases online.

“The Royal Gibraltar Police’s Economic Crime Unit can be contacted on 20072500 for advice in these matters. However there are many online websites that give good advice on these issues.”

One of these is Action Fraud UK https://www.actionfraud.police.uk/ who provide information and tips to all sections of the community on how to minimise the risk of falling victim to these type of scams as well as many others.

Businesses and charities can access the Gibraltar Financial Intelligence Unit’s (GFIU) e-Nexus learning portal which provides a workshop that guides users on how to recognise the tactics used by criminals to hack email systems including their use of social engineering tactics to compromise the email accounts of victims to send fraudulent payment instructions to financial institutions or businesses. To access this free workshop you can register with the GFIU on https://www.gfiu.gov.gi/news .