Business Email Compromise and You
Photo by Markus Spiske on Unsplash
By: Barbara Ewoenam Afua Kukah
The COVID-19 pandemic aside, one of the most shocking events of the year 2020 was the arrest of Nigerian social media personality and influencer, Ramon Abbas, popularly known as Hushpuppi. On 29th July 2021, Forbes reported that Abbas had pleaded guilty in a Californian court to money laundering and other business email schemes that cost his victims nearly 24 million USD. Reporting on the activities and series of events that led to the case of United States of America v. Ramon Olorunwa Abbas, Bloomberg writer Evan Ratcliffe writes that Hushpuppi engaged in activities known as “business email compromise” or BEC attack.
What Is Business Email Compromise
What is business email compromise and how can it affect your company? Business email compromise (BEC) has been defined as a type of email cyber-crime scam in which an attacker targets a business to defraud the company. Crane Hassold, the senior director of threat research at the cyberdefense company Agari Data Inc. and a former FBI analyst, defines a BEC as “a response-based impersonation attack that’s requesting something of value”. The United States Federal Bureau of Investigation (FBI) states: “business email compromise (BEC) – also known as email account compromise (EAC) – is one of the most financially damaging online crimes. It exploits the fact that so many of us rely on email to conduct business – both personal and professional. In a BEC scam, criminals send an email message that appears to come from a known source making a legitimate request…”
The FBI defines five major types of BEC scams namely,
- CEO fraud where the attackers position themselves as the CEO or executive of a company and send an email requesting for a transfer of funds;
- Account compromise where an employee’s email is hacked and used to request payments to vendors;
- False invoice scheme in which scammers pose as suppliers and request payment of funds;
- Attorney impersonation where scammers pose as lawyers or legal representatives; and
- Data theft where HR employees are targeted for information about individuals within a company which is then leveraged for future attacks.
In all these types of scams, the accounts provided for the fund transfers are fraudulent accounts set up by the scammers for the purposes of receiving these illegally obtained funds. These monies are usually laundered and become difficult, if not impossible to trace. Bloomberg writer, Evan Ratcliffe, who quoted Crane Hassold, reports as follows: “no matter the flavor, a BEC scam generally begins with someone hacking into a corporate email account often using social engineering tactics like phishing. Once inside, the perpetrators don’t steal anything, not at first. Instead, they quietly begin forwarding copies of incoming and outgoing email to themselves. Then they wait. “They watch it for a number of weeks or months, looking for details of certain payments that are going out, understanding who their customers are, looking at communication patterns,” Hassold says. When they spot an invoice coming in or going out, they “use that intelligence to insert themselves into an actual payment that is supposed to be due.”
Cybercrime in Ghana
Although BEC scams have become increasingly common worldwide, they are yet to be commonplace in Ghana. However, Ghana faces other forms of cyber-crime commonly known as 419 and sakawa. They include real estate scams, identity fraud, fake gold dealers, blackmail, and hacking.
In response to the growing spate of cybercrime incidents, the Parliament of Ghana passed the Electronic Transactions Act 2008 (Act 772) to, among others, promote legal certainty and confidence in electronic communications and transactions, and develop a safe, secure and effective environment for the consumer, business and the Government to conduct and use electronic transactions.
Section 122 provides that:
“A person who without authority, in the course of an electronic fund transfer, uses the personal or financial record or credit account numbers or electronic payment medium of another with intent to defraud an issuer or a creditor or who obtains money, goods, services, or anything fraudulently, commits an offence and is liable on summary conviction to a fine of not more than five thousand penalty units or to a term of imprisonment of not more than ten years or to both.”
The Act in section 124 also penalises persons who intentionally access or intercept an electronic record without authority or permission.
In addition to passing Act 772, the Ghanaian parliament has also passed legislation specific to cybercrime, including the National Information Technology Agency Act, 2008 (Act 771) and the Data Protection Act, 2012 (Act 843). The latest of these is the Cybersecurity Act, 2020 (Act 1038). These statutes, in addition to the Criminal Offences Act, 1960 (Act 29) have provided a broader framework for preventing, detecting and prosecuting incidents of cybercrime, including BEC scams.
Detecting, Tracing, and Recovering Stolen Assets
In spite of legislation outlawing these acts, BEC scams and other forms of cybercrime are notoriously difficult to detect due to their nature. Regarding Ramon Abbas’ case, Bloomberg reports; “successful BEC scams, such as the ones Alaumary and Abbas stand accused of, always come off like a magic trick. Phil in accounting – or K.C the paralegal, in the Abbas case – receives an invoice, logs in to a payment system, and sends off what appears to be a routine payment. Then – poof! – the money is gone, having seemingly evaporated en route to its intended destination.”
The sophistication and technological advancement of these crimes means that even if detected, it is difficult to prove, and thus prosecute. Tracing stolen sums thus, often becomes an exercise in futility, with businesses having to shoulder enormous losses. Indeed, a report by McAfee and the Center for Strategic and International Studies (CSIS) shows that global losses from cyber-attacks in 2020, reached almost 1 trillion USD in the year 2020.
Even in situations where the crime is detected and traced, the grim reality is that recovering stolen funds is difficult and most businesses and individuals have no choice than to simply move on and rebuild. However, where these perpetrators are caught, aside from punishing the offenders under the above-mentioned laws, Ghana’s Criminal and Other Offences Procedure Act, 1960 (act 30) provides relief to the victims. Act 30 in section 146 provides that “Where any person is convicted of having stolen or having obtained any property fraudulently or by false pretences, the Court convicting him may order that the property or a part thereof be restored to the person who appears to it to be entitled thereto.” Thus, a person may be able to recover the stolen funds without having to commence a separate civil action to recover them.
The Case of Ecobank Nigeria Plc v. Hiss Hands Housing Agency and Another [2017-2018] 1 SCGLR 355
The Ghanaian courts had the opportunity of deciding on a similar matter in the case of Ecobank Nigeria Plc v. Hiss Hands Housing. In this case, Ecobank Nigeria, desirous of expanding its operations in Chad opened an account with a bank named BCC in Chad with an amount of USD 6 million. Sometime later it discovered that an amount of USD 2,368,725.01 had been transferred from its BCC account into Hiss Hands Housing Agency’s (1st Defendant)’s account with the Takoradi (Ghana) branch of Intercontinental Bank (later Access Bank). Ecobank Nigeria thus sued both the 1st Defendant and the bank to recover the funds. The 1st Defendant in its defence stated that it had received the money from a business partner which had been introduced to it by a friend. The issues which the trial court considered included the following:
- whether or not the sum in question which was transferred into 1st Defendant’s account originated from Plaintiff’s BCC account,
- whether the transfer was done with Plaintiff’s consent and authorisation,
- whether the transfer was procured by fraud,
- whether the 1st Defendant had any reasonable expectation to receive the said sum, and
- whether the 1st Defendant received the money from its business partner in Chad.
The Plaintiff lost at both the trial court and the Court of Appeal, with both courts stating that it had failed to prove fraud, as it did not particularise fraud in its pleadings. The Court of Appeal also held that the failure to call an official of BCC to testify on its behalf was fatal to its cause. On appeal to the Supreme Court of Ghana however, the tide turned and judgement was given in its favour. Gbadegbe JSC who gave the judgement of the court held as follows:
- Although the rule requiring fraud to be particularised in pleadings is couched in mandatory language, where a party does not plead fraud and there is no objection by the other party, the Court cannot shut its eye to any evidence led in support of fraud but must take it into account in deciding the matter.
- Fraud at common law aside, the Plaintiff’s case was to the effect that the transfer of the disputed amount was done improperly, dishonourably, and in a manner that was contrary to good conscience. Fraud in this context is broader than fraud at common law and need not involve moral turpitude.
- The evidence overwhelmingly shows that the money transferred into the 1st Defendant’s account was paid out of Ecobank Nigeria’s account with BCC through fraudulent means.
- The 1st Defendant having been unjustly enriched by funds that came from the Plaintiff, the Plaintiff is entitled to a restitution of the funds although the court has not made a finding of theft.
The import of this case is that even though the Plaintiff and the 1st Defendant never had a direct relationship or interaction and hence the 1st Defendant could not be accused of theft or defrauding the Plaintiff by false pretences, as long as the 1st Defendant had somehow unjustly received the Plaintiff’s funds without the Plaintiff’s knowledge and consent, the 1st Defendant would be ordered to refund the funds to the Plaintiff.
This decision is very laudable in that it provides justice for those forms of cybercrimes like BEC scams where the perpetrators often never have any form of contact with the victim, and which would otherwise be very difficult for victims to prove how the crime was perpetrated. As long as it can be proven that money belonging to the victim has somehow fraudulently found its way to the perpetrator, the Ghanaian courts have shown their willingness to aid victims.
How To Protect Yourself and Your Business
Attackers may strike in various ways, such as sending phishing emails asking you to update your password and security details. These are a few protective measures suggested by experts that you can use to protect yourself and your business:
- Set up multi-factor (or two-factor) authentication. This is an authentication method that requires you to enter two or more verification methods before giving you access to your account. It may take the form of a combination of one time passwords (OTP), authorisation from phone before using the application on your laptop, thumbprints or face recognition, or answers to personal questions, among others.
- Use strong, and complex passwords involving numbers, upper and lower case letters, special characters (e.g *, -, _,@ ). If you’re worried about forgetting your password, use a password manager to store them.
- Train your employees on what to look out for in dangerous emails and do frequent tests.
- Establish company wide protocols and procedures on what kind of information is sent out over email and phone calls. For instance, will requests for payment be sent via email only or will require an additional confirmation via phone call, etc?
- Verify requests for information where possible.
- Have multiple people sign off on high value transfers.
- Look for minor changes in email addresses. Most phishing emails look almost exactly like genuine ones. However, telltale signs like one letter missing, an extra letter, the number 1 instead of the lower case letter l.
While it is true that cyber-crimes such as BEC scams continue to increase in spate and sophistication, your business can continue to grow by educating yourself and your employees on the nature of these crimes and by implementing the protective measures outlined in this article. Should such perpetrators be caught, there is assurance in knowing that Ghana’s legal framework and justice system are prepared to aid victims and ensure that such people are brought to book.