Your email is your underbelly - beware!

When dealing with incoming email, one can never be too vigilant. International cybersecurity experts have observed that Business Email Compromise (BEC) attacks increased by 81 percent in 2022 and by 175 percent over the past two years. BEC is an advanced phishing scam that impersonates people, organisations, or entities the victim knows. It works by manipulating email addresses, so the sender appears legitimate. The most common victims of BEC are companies that use online transfers to send money to international clients. The following are typical examples of BEC:

Fraudulent Invoices: By impersonating vendors or other account representatives, scammers can trick people into sending funds to fraudulent accounts. This tactic is often used by sending fake invoices that look almost exactly like an invoice the victim typically receives.

Chief Executive Officer Fraud: This fraud involves a cybercriminal attempting to impersonate a company’s senior management and requesting online transfers of money or confidential information.

Account Takeover: When someone falls victim to a phishing attack, they may lose control of their email account. This allows the attacker to distribute phishing emails to the victim's contact list. Since the recipients recognise the sender, they will likely engage with the attacker.

Employee Data Theft: Those who work in bookkeeping or HR have access to employee information. Cybercriminals often target such employees in the hopes of stealing data such as full names, ID’s, home addresses and phone numbers.

How to prevent such attacks? Slow down and carefully inspect the sender’s email address. Scammers often create addresses that appear to be legitimate but contain slight variations, such as the way names and account names are spelled. Also:

Pay attention to the tone: When you email regularly with someone, you are likely familiar with how they communicate. An unusual tone is probably an untrustworthy email.

Avoid attachments: Malware commonly arrives via email attachments. Only open an attachment if you have confirmed it is safe.

Confirm by phone: Suppose you receive a request for money or confidential information. Speak with the sender personally before complying with the request.

Customers should never share personal and account information, especially their banking personal identity number (PIN). Remember that banks like Bank Windhoek will never ask you to confirm your personal information over the phone. If you receive a transaction notification that you did not do, rather call your bank and stop all transactions. 

Being vigilant and keeping your eyes and ears attentive are the most effective defences to curb theft and fraud. Customers who fall victim to a scam or suspect being targeted in a hoax should contact the Bank Windhoek Customer Contact Centre at 061 299 1200 immediately.
Johnny Truter, Bank Windhoek’s Manager of Forensic Services.


Johnny Truter,
Bank Windhoek’s Manager of
Forensic Services.