Business Email Compromise (BEC) in South Africa

/ Blog, Services / By

How Cybercriminals Hijack Payments and What You Do

Business Email Compromise (BEC) has rapidly become one of the most financially devastating cybercrimes affecting companies in South Africa. Unlike traditional hacking attacks that rely on brute force or malware, BEC is calculated, patient, and highly deceptive. It targets trust—specifically the trust between businesses, clients, suppliers, and finance teams.

All businesses must evolve their payment verification processes. It is essential that, before making any payment to a supplier or service provider, you contact them using their official, independently verified number and request verbal confirmation of their banking details. This should be a non-negotiable internal control enforced across the organisation. When consistently applied, this simple step serves as one of the most effective safeguards against payment redirection fraud.

Business Email Compromise accounts for 40% of reported cyber incidents in South Africa. It is consistently ranked among the top 3 cyber threats by 38%.

Royal Investigations (Pty) Ltd is ranked among the leading corporate investigation firms in South Africa, with extensive experience in handling Business Email Compromise (BEC) matters. Over the years, we have witnessed firsthand how these attacks can cripple businesses financially and operationally.

When conducting risk assessments for organisations, strengthening payment verification processes and email security is often one of the first critical areas we address. In many cases, BEC incidents may initially appear to be an “inside job,” leading suspicion toward account managers or senior executives. However, this is rarely the case. The real vulnerability typically lies in inadequate internal controls and insufficient cybersecurity measures that fail to prevent unauthorized access and fraud.

What is Business Email Compromise (BEC)?

BEC is a form of cyber fraud where criminals gain unauthorized access to a business email account and use it to manipulate financial transactions. The goal is simple: intercept legitimate payments and redirect them into fraudulent bank accounts controlled by the criminals.

These attacks are not random. They are targeted, researched, and often executed over weeks or even months.

Alarming Rise of BEC in South Africa

South Africa has become a hotspot for BEC-related fraud due to a combination of high digital adoption and gaps in cybersecurity awareness.

Key Statistics:

  • According to global cybercrime reports, BEC scams have caused over $50 billion in losses worldwide over the past decade.
  • South African banks report hundreds of millions of rand lost annually to email compromise and invoice fraud.
  • BEC attacks account for one of the highest-value cybercrime losses per incident, often exceeding R500,000 to several million rand per case.
  • A significant percentage of victims are SMEs, who often lack advanced cybersecurity controls.
BEC Hero Image
40 Percent Statistic

How Cybercriminals Intercept and Manipulate Invoices

1. Gaining Access to Your Email System

Cybercriminals infiltrate your email account through:

  • Phishing emails (fake login pages)
  • Weak or reused passwords
  • Malware or keyloggers
  • Data breaches from other platforms

Once inside, they do not act immediately.

2. Lurking in the Background

Criminals silently monitor your email activity:

  • They study communication patterns
  • Identify key stakeholders (finance teams, suppliers, directors)
  • Track invoices, payment cycles, and large transactions

They may remain undetected for weeks, waiting for the perfect opportunity.

3. Intercepting Payment Opportunities

Once a high-value transaction is identified, the criminals:

  • Clone or slightly alter legitimate email threads
  • Create nearly identical email addresses (e.g., replacing “.co.za” with “.com”)
  • Intercept invoices and change the banking details

The victim receives what appears to be a legitimate request—and makes the payment.

4. Redirecting Funds

Funds are transferred into:

  • Mule accounts (often opened using stolen or recruited identities)
  • Rapidly moved across multiple accounts
  • Withdrawn or converted into cryptocurrency within hours

By the time the fraud is detected, the money is often already dispersed.

The Role of Organized Crime

Many of these scams are not isolated incidents but are linked to organized cybercrime syndicates. One such group frequently associated with BEC and financial fraud is:

Black Axe, this is the Nigerian notorious transnational criminal syndicate involved in 419 romance scams, inheritance scams and also business email compromise scams.

This group operates globally and is known for:

  • Advanced social engineering tactics
  • Large-scale financial fraud operations
  • Coordinated international money laundering networks

Their involvement highlights the sophistication and scale of BEC attacks.

Password Breach 1
Email Forensics Headers

Why 2FA is Non-Negotiable

Every business owner must implement Two-Factor Authentication (2FA).

Why it matters:

  • Even if your password is stolen, access is blocked without the second factor
  • Prevents unauthorized logins from unknown devices or locations
  • Significantly reduces the risk of email compromise

Without 2FA, your email system is essentially one stolen password away from disaster.

How Investigators Trace BEC Fraud

Email Forensic Analysis

  • Examine email headers
  • Identify spoofed domains and routing paths
  • Detect manipulation within communication threads
  1. Backend Log Analysis
  • Analyse login activity (IP addresses, geolocation, timestamps)
  • Identify unauthorized access points
  • Track how long the attacker was inside the system
  1. Banking Trail Investigation
  • Trace recipient bank accounts
  • Identify account holders (often mules)
  • Follow fund movement across institutions
  1. Pattern Recognition
  • Link cases to known syndicates
  • Identify recurring tactics used by organized groups
Invoice Alteration Detail

How Royal Investigations Can Assist

Royal Investigations (Pty) Ltd specializes in complex financial and cyber investigations.

Their services include:

  • Digital forensic investigations
  • Email compromise analysis
  • Bank account tracing and profiling
  • Evidence collection for legal proceedings
  • Coordination with financial institutions and law enforcement

Their experience in fraud, cybercrime, and surveillance gives them a strategic advantage in uncovering the full scope of BEC attacks.

What To Do If You Become a Victim

  1. Stop Using the Compromised Email
  • Do not send or trust any emails from the affected account
  • Treat all communications as compromised
  1. Alert the Paying Party Immediately
  • Instruct them to contact their bank
  • Attempt to freeze or recall the transaction
  • Time is critical—delays reduce recovery chances
  1. Engage a Corporate Private Investigator
  • Initiate a professional investigation immediately
  • Preserve evidence and analyse breach points
  • Begin tracing suspects and financial flows

Final Thoughts

BEC is not just a cyber issue—it is a business risk, a financial threat, and a reputational hazard. The sophistication of these scams means that even well-run companies can fall victim.

The key to protection lies in:

  • Strong cybersecurity practices (especially 2FA)
  • Staff awareness and training
  • Vigilant verification of banking detail changes
  • Immediate response when something seems off

And when prevention fails, having the right investigative partner can make the difference between total loss and partial recovery.

Staff Cybersecurity Training

Frequently Asked Questions (FAQs): Business Email Compromise (BEC) in South Africa

  1. What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a type of cyber fraud where criminals gain unauthorized access to a business email account and use it to manipulate legitimate financial transactions. Their primary objective is to intercept payments and redirect funds into fraudulent bank accounts under their control.

  1. Why is BEC so prevalent in South Africa?

South Africa has seen a sharp rise in BEC incidents due to increased digital communication, reliance on email for financial transactions, and gaps in cybersecurity practices. With BEC accounting for approximately 40% of reported cyber incidents, it has become one of the most dominant cyber threats facing local businesses.

  1. How do cybercriminals gain access to business email accounts?

Cybercriminals typically gain access through:

  • Phishing emails designed to steal login credentials
  • Weak or reused passwords
  • Malware or keylogging software
  • Data breaches from other platforms

Once access is obtained, they silently monitor communications until an opportunity arises.

  1. How do criminals manipulate invoices and payments?

After gaining access, attackers monitor email conversations and identify upcoming payments. They then:

  • Alter banking details on legitimate invoices
  • Impersonate suppliers or executives
  • Send fraudulent payment instructions

Because the emails appear legitimate, victims unknowingly transfer funds to fraudulent accounts.

  1. What are the warning signs of a BEC attack?

Common red flags include:

  • Sudden changes in banking details
  • Urgent or last-minute payment requests
  • Slight changes in email addresses (e.g., .com instead of .co.za)
  • Requests to bypass normal verification procedures

Any deviation from standard processes should be treated with suspicion.

  1. Why is verbal confirmation of banking details so important?

Verifying banking details telephonically using an independently confirmed contact number is one of the most effective ways to prevent BEC. This simple step ensures that even if emails are compromised, fraudulent payment instructions can be detected before funds are transferred.

  1. How does Two-Factor Authentication (2FA) help prevent BEC?

Two-Factor Authentication (2FA) adds an extra layer of security by requiring a second form of verification beyond just a password. Even if criminals obtain login credentials, they cannot access the account without the second authentication factor, significantly reducing the risk of compromise.

  1. Who is behind these types of scams?

Many BEC scams are linked to organized cybercrime syndicates such as Black Axe. These groups operate globally and specialize in sophisticated fraud schemes, including BEC, romance scams, and large-scale financial crimes.

  1. Can stolen funds be recovered after a BEC attack?

Recovery is possible, but it depends on how quickly action is taken. If the fraud is reported immediately, banks may be able to freeze the funds before they are moved. However, criminals often transfer money rapidly across multiple accounts, making recovery increasingly difficult as time passes.

  1. How can Royal Investigations (Pty) Ltd assist in BEC cases?

Royal Investigations provides specialized support in BEC matters through:

  • Email forensic analysis
  • IP and backend log investigations
  • Bank account tracing and suspect identification
  • Evidence collection for legal proceedings
  • Coordination with financial institutions and law enforcement

Their expertise enables businesses to understand how the breach occurred, trace the perpetrators, and take the necessary legal and recovery steps.

Contact Us Now