Business Email Compromise (BEC): A Growing Threat in Nigeria

Business Email Compromise (BEC) is one of the fastest-growing cybercrimes in Nigeria — and worldwide. Unlike flashy hack attacks, BEC is quiet, patient, and devastatingly effective.

What Is BEC?

BEC is a scam where fraudsters impersonate executives, vendors, or business partners via email to trick employees into wiring money or revealing sensitive information.

How It Works

1. Reconnaissance

Scammers research the target company. They identify:

• The CEO, CFO, or procurement head
• Vendors and suppliers
• Payment processes and approval workflows
• Writing style and vocabulary used in internal emails

2. Impersonation

They create a spoofed email address that looks almost identical to a real one:

• Real: ceo@yourcompany.com
• Fake: ceo@yourcompany.co or ceo@your-company.com

3. The Request

They email a junior employee, urgently requesting a wire transfer:

"I'm in a meeting and can't talk. We need to process an urgent payment of ₦5M to our new supplier. Here are the account details. Keep this confidential until announcement."

4. The Transfer

Under pressure and believing the email is real, the employee sends the money. By the time the mistake is discovered, the funds are gone.

Common BEC Variants

• CEO Fraud: Scammer impersonates the CEO asking for urgent transfers
• Vendor Email Compromise: Scammer hacks a real vendor's email and sends fake invoices
• Payroll Diversion: Scammer impersonates an employee requesting to change bank details
• Attorney Impersonation: Scammer poses as a lawyer handling a "confidential" deal

Red Flags

• Unusual urgency — "This must be done today"
• Confidentiality requests — "Don't discuss with anyone"
• Changes to bank details just before payment
• Slight email address differences
• Writing style mismatches (a CEO who suddenly uses "kindly" or broken English)
• Unusual payment destinations (overseas accounts, cryptocurrency)

How to Protect Your Business

1. Verify Verbally

Before any wire transfer, call the requester on their known phone number. Not the one in the email — their actual number.

2. Use Multi-Factor Authentication

Enable MFA on all company email accounts. This prevents email takeovers.

3. Implement Payment Policies

Require two signatories for all transfers above a threshold. No exceptions.

4. Train Your Staff

Every employee should know what BEC is and how it works. Regular training is essential.

5. Domain Protection

Register similar domain names to prevent spoofing (e.g., yourcompany.co, yourcompany.ng).

6. Email Authentication

Implement SPF, DKIM, and DMARC on your domain to block spoofed emails.

If You've Been Hit

Act fast:

1. Call your bank immediately — transfers can sometimes be reversed within hours
2. Call the receiving bank — they may freeze the account
3. File a report with the EFCC Cybercrime Unit
4. Contact your insurance provider if you have cyber insurance
5. Preserve all evidence — emails, headers, screenshots

The Bottom Line

BEC scams succeed by exploiting trust and urgency. Building a culture of verification — where even the CEO welcomes being questioned — is the strongest defense.

No payment is too urgent to verify. Ever.