By now, we’ve all heard the story from someone close to us who has been duped into making a payment to a fraudsters bank account, usually as a result of email spoofing. The payment could be anything from the settlement of your plumber’s recent invoice, to the purchase of a motor car or payment in respect of a property transaction.

This fraud is the consequence of email account compromise (EAC) also known as business email compromise (BEC). Simply put, either the recipient or sender email account has been accessed by cybercriminals, who then carefully monitor the correspondence running through the account for indications of an invoice or transaction in progress that they can prey upon.

But how do these criminals gain access to our email accounts?

You will no doubt be aware of the many emails in circulation that attempt to entice the reader to click on a link or to open an attachment (often under the guise of a proof of payment or a SARS refund). If the unwitting recipient falls into this trap, cyber-fraudsters can gain access to their email account, and so “hide” in the inbox of their victim like a ghost in the machine, waiting to strike. The obvious way for the cybercriminals to profit from this action is to manipulate the banking details in an invoice or payment request.

Unfortunately, the South African banking system does not match account names with account numbers. So, where a payment is destined for Frank Holland & Associates, the account number is the critical item: in other words, despite the Account Holder being completed as Frank Holland & Associates, if the account number is not that of the payee, the payment will still be processed by the bank, and your funds can be diverted to a fraudsters bank account in this manner.

It is therefore vital that you, as the person making payment, verify the account number of the recipient before actioning any payment. This should be done telephonically, with the offices of the recipient. Another sound practice is to make a test payment (of say R100) and to verify that this payment has been received by the intended recipient. 

The purpose of this article is not to discourage electronic banking or the reliance upon electronic communications in business, but rather to raise awareness around the way in which EAC/BEC can manifest and the consequences it can give rise to. As a society, we need to appreciate that email communications are not always secure and that when making any payment, it is our responsibility to verify that the banking details that we have received are indeed those to which our payment is to be made.

FHA has listed as a public/predefined beneficiary with First National Bank (FNB), and is in the process of doing the same with the other major banks in South Africa.  

Cyber threats undermine efforts at building our economy, which is something that South Africa can ill-afford. As the first and last lines of defence, society can become the country’s greatest asset in the fight against cybercriminals.


  • On May 26, 2023
  • 0 Comment