Business Email Compromise (BEC)

In another case reported to the Malta Police Force, Adrian, Chief Financial Officer of the Maltese company involved in trading activities, fell victim to a Business Email Compromise scheme involving a €150,000 transfer.

The incident began when Adrian arranged a payment to a business partner as part of routine financial operations. Shortly after initiating the transfer, he received an email that appeared to come from the partner’s legitimate email address. In the message, he was instructed to cancel the original payment and redirect the funds to a different bank account in the United Kingdom due to alleged administrative changes.

Adrian carefully reviewed the sender’s email address and found no visible discrepancies. Since the address matched his contact records, he complied and redirected the €150,000 to the newly supplied account. Only after confirming the transaction by phone did the partner express alarm, stating that no such change had been requested.

Further technical investigation revealed that the partner’s email account had been compromised. A malicious rule had been created within the mailbox, automatically diverting or marking as “read” certain communications, thereby preventing the legitimate account holder from noticing the fraudulent correspondence.

Fraudsters do not necessarily create fake email addresses; instead, they infiltrate genuine accounts, making detection extremely difficult. That is why it is important that when a company receives a change of bank details, the company or the individual must verify payment details through independent communication channels, such as a direct phone call using previously established contact numbers.

Disclaimer: This account is based on a real-life case investigated by the authorities. While the events and figures described are factual, names have been changed to protect the privacy of the individuals involved.

The Malta Police Force investigated a case of business email compromise after receiving a complaint from Nicholas, a senior executive in a Maltese company that operates worldwide in the education sector. At the time of the event, the Maltese company was managing renovation work at a new location abroad.

During ongoing discussion with the renovation contractor, the contractor issued an invoice along with bank account information for payment. As part of typical internal procedures, the Maltese company attempted to check the bank details before proceeding. A confirmation email was received from what looked to be the contractor’s real email address, authorising the payment.

Based on this confirmation, the Maltese company moved about €75,000 from its corporate bank account. Shortly after the transfer, the contractor notified the Maltese company that payment had not been received. This unexpected occurrence prompted an internal review, which discovered that cyber criminals had hijacked the contractor’s email account.

The fraudsters had accessed the contractor’s mailbox, monitored correspondence, and intercepted invoice information. They changed the contractor’s bank details to bogus ones while keeping the same email address. As a result, the Maltese company unwittingly sent money to a criminal-controlled account.

How this could have been avoided?

This type of incident could have been prevented through independent verification of the payment instructions using a trusted communication channel. Examples include:

• Calling the contractor using a known phone number (not one provided in the suspicious email) to confirm the bank account details
• Requesting confirmation via a secondary, pre-established secure channel, such as a previously verified email address or secure portal.
• Implementing a dual-control process where changes to supplier bank details require verbal confirmation from two authorised persons.
• Being cautious of unexpected changes to payment instructions, which are a common red flag in BEC attacks.

Disclaimer: This account is based on a real-life case investigated by the authorities. While the events and figures described are factual, names have been changed to protect the privacy of the individuals involved.