Business Email Compromise

Cyber-attacks have increased steadily in recent years. With criminals constantly devising new ways to steal information and money, one of the newest emerging threats is Business Email Compromise, also known as CEO or Chairman Fraud. The most frequent targets of this scam, small and medium-sized businesses, can lose huge sums because of one spurious email.

What is Business Email Compromise?

A fraudster emails a company's payments team, impersonating a contractor, supplier, creditor or even someone in senior management. The email might appear to be from the CEO, asking that an urgent payment be made, or from a supplier, requesting that future payments go to a new account. Often it instructs the recipient not to discuss the matter with anyone else.

Since the sender's email closely matches a known address, this type of fraud often goes unnoticed until too late. Cybercriminals may even hack into a real email account - from which fraudulent communications are hard to identify.

Business email compromise in the real world

US based business: $400,000 loss

The payments team received an email from the CEO, asking that payments be set up for new beneficiaries. A member of the team created and authorised the payments. By the time the team realised that the requester's email address did not exactly match the CEO's, it was two days later and the perpetrator had stolen nearly $400,000.

Global commodity trading platform provider: £920,000 loss

An employee received an email from the CEO, requesting a new payment. This was authorised and made by two other staff members, the first employee even confirming with the CEO that the payment was legitimate. It was later discovered that the CEO's email had been compromised, and that the CEO and employee had been talking about two different payments. The company lost £920,000.

The risks to business

  • Significant financial loss
  • Reputational damage

How can I defend my business against email compromise?

  • Make sure your customers' staff are alert to this type of fraud.
  • Implement a two-step payments verification process which includes a non-email check (eg. phone/ SMS) with the initiator.
  • Always use known contact details to follow up an email request - but don't:
    • reply directly to the initial email; or
    • use any phone numbers or other contact information included in the email.
  • Check email addresses.

What seems legitimate at first glance may well be fraud

You are leaving the HSBC Commercial Banking website.

Please be aware that the external site policies will differ from our website terms and conditions and privacy policy. The next site will open in a new browser window or tab.