You receive an email from a supplier you've worked with for three years. The email looks exactly like their usual correspondence — right address, right name, right tone. It says they've changed their bank account and asks you to update your records before the next payment. You do, and your next payment goes to a criminal.
This is Business Email Compromise, and it's costing businesses tens of millions of dollars each year.
How BEC works
Business Email Compromise typically works in one of two ways:
*Method 1 — Compromised supplier email:* Criminals hack into a supplier's actual email account and monitor the conversation for upcoming payments. At the right moment, they send an authentic-looking email from the real account with new banking details. You have no reason to doubt it — it comes from the real email address.
*Method 2 — Spoofed or lookalike email:* Criminals create a domain name that looks similar to a supplier's — for example, substituting "rn" for "m" (suppliernz.co.nz becomes supplierrn.co.nz) or adding a character that's easy to miss. Combined with a copied email signature, these are convincing enough to fool busy accounts payable staff.
The scale of the problem
BEC is the single largest category of cyber crime losses globally by dollar value, according to the FBI's Internet Crime Complaint Center. CERT NZ and the NZ Police Financial Crime Group have tracked significant growth in BEC incidents locally, with individual losses ranging from $20,000 to over $1 million.
The construction, property, legal, and professional services sectors are particularly targeted, given the high-value, time-sensitive nature of their transactions.
The one policy that stops most attacks
A mandatory call-back verification policy for any banking detail change prevents the vast majority of BEC attacks. The policy is simple:
"No change to a supplier's, customer's, or employee's banking details will take effect until the change has been verbally confirmed by a phone call to a number obtained independently from our existing records — not from the email or document requesting the change."
This single policy stops nearly all BEC attacks. The criminal cannot intercept your call to a number you already have on file. Even if they email from the legitimate address, a quick call to your existing contact confirms the change is fraudulent.
Train all staff who handle payments on this policy. Make it non-negotiable. Apply it even when the request seems very plausible.
Additional preventive controls
- •*Dual authorisation:* Any payment above a threshold requires approval from two separate staff members, communicated through separate channels
- •*Domain monitoring:* Email security tools can flag emails from lookalike domains
- •*Staff training:* Regular training on BEC patterns and simulated phishing exercises
- •*Invoice verification:* Establish a process for matching invoices against purchase orders before payment
When prevention fails: insurance
Even excellent controls don't guarantee zero losses. When a BEC attack succeeds despite controls, having the right insurance in place determines whether your business can absorb the loss.
Standard commercial crime policies often have a "social engineering" exclusion — meaning a fraudulent payment authorised by your staff may not be covered, because it was technically authorised. A specific social engineering fraud endorsement is required.
DUAL NZ offers this as an add-on to their cyber policy with up to $250,000 in coverage. Other insurers offer higher limits. Given that the average BEC loss is well within these limits, the add-on cost is generally a small fraction of the potential loss.
Contact us for a tailored quote for BEC insurance for your business.