The Malta Police Force investigated a case of business email compromise after receiving a complaint from Nicholas, a senior executive in a Maltese company that operates worldwide in the education sector. At the time of the event, the Maltese company was managing renovation work at a new location abroad.
During ongoing discussion with the renovation contractor, the contractor issued an invoice along with bank account information for payment. As part of typical internal procedures, the Maltese company attempted to check the bank details before proceeding. A confirmation email was received from what looked to be the contractor’s real email address, authorising the payment.
Based on this confirmation, the Maltese company moved about €75,000 from its corporate bank account. Shortly after the transfer, the contractor notified the Maltese company that payment had not been received. This unexpected occurrence prompted an internal review, which discovered that cyber criminals had hijacked the contractor’s email account.
The fraudsters had accessed the contractor’s mailbox, monitored correspondence, and intercepted invoice information. They changed the contractor’s bank details to bogus ones while keeping the same email address. As a result, the Maltese company unwittingly sent money to a criminal-controlled account.
How this could have been avoided?
This type of incident could have been prevented through independent verification of the payment instructions using a trusted communication channel. Examples include:
- Calling the contractor using a known phone number (not one provided in the suspicious email) to confirm the bank account details
- Requesting confirmation via a secondary, pre-established secure channel, such as a previously verified email address or secure portal.
- Implementing a dual-control process where changes to supplier bank details require verbal confirmation from two authorised persons.
- Being cautious of unexpected changes to payment instructions, which are a common red flag in BEC attacks.
Disclaimer: This account is based on a real-life case investigated by the authorities. While the events and figures described are factual, names have been changed to protect the privacy of the individuals involved.