Business Email Compromise: The Attack Costing Nigerian Businesses Billions
Business Email Compromise is not a sophisticated technical attack. It is a social engineering attack that succeeds because legitimate business processes rely on email communication for authorising large payments β and that reliance creates an exploitable attack surface.
Disclaimer
This article is for educational purposes only and does not constitute legal, financial, or professional advice. Compliance requirements vary by industry and jurisdiction. Consult a qualified professional for guidance specific to your organisation. Information was accurate at the time of writing β verify current regulations with the relevant authorities.
Business Email Compromise: The Attack Costing Nigerian Businesses Billions
The Nigerian Financial Intelligence Unit (NFIU)Β² and the Economic and Financial Crimes Commission (EFCC)Β³ both document Business Email Compromise as one of the highest-value fraud categories operating in Nigeria. The global FBI IC3 annual reportΒΉ has historically ranked BEC among the highest-dollar-loss cyber crime categories globally β though investment fraud surpassed it in the 2023 report, BEC remains a dominant threat category, ahead of ransomware and data breaches, driven by email-based payment fraud.
The reason BEC is so financially damaging: unlike most cyber attacks that target technical vulnerabilities, BEC targets human decision-making. The attack does not break into your systems. It impersonates a trusted party and asks someone with payment authority to transfer money to the attacker's account.
The success rate when BEC is executed competently against a Nigerian business is uncomfortably high because the attack exploits communication patterns that are genuinely how Nigerian B2B business works: most significant financial decisions involve email as either the instruction or the confirmation channel.
How BEC Attacks Work
Attack Variant 1: Supplier Impersonation
Attacker compromises or spoofs a supplier's email domain. Sends an email from an address that looks like accounts@supplier-company.com (where the actual domain might be supplier-cornpany.com β note the m/rn substitution). The email informs you that the supplier's bank account has changed and requests that future payments go to a new account.
Your accounts payable team, following the email instruction, pays the next invoice to the new account. The money goes to the attacker.
Why it works: Payment instruction emails are common. Account change requests happen legitimately. The email looks genuine because it matches the supplier's communication style (the attacker has often studied existing email conversation).
Attack Variant 2: CEO/Director Impersonation
Attacker spoofs or compromises the email of a senior executive. Sends an email to the finance or treasury team requesting an urgent payment to a beneficiary β often with a business story that makes urgency plausible ("we're closing an acquisition and need the deposit by end of business today; do not discuss this with anyone else pending the announcement").
The pressure creates a context where normal controls (verbal confirmation, payment approval process) are bypassed.
Why it works: Finance teams are accustomed to processing executive-directed payments. The instruction comes from an authoritative source. The urgency narrative creates pressure to act before verification.
Attack Variant 3: Email Account Compromise
The attacker actually gains access to a legitimate email account β through phishing for the password, through password reuse with a leaked credential, or through a malware infection on the user's device.
Once inside the email account, the attacker can monitor conversations, step in at the right moment in an ongoing transaction, and redirect payment instructions with full access to the email history and context.
This is the most dangerous variant because the emails are genuinely from the compromised account β no domain spoofing, no subtle email address difference. The only detection is knowing the real account was compromised.
Nigerian Industries with Elevated BEC Exposure
Real estate: Property transactions involving large one-time transfers are a prime BEC target. The purchase instruction β "transfer β¦45M to escrow account X for the completion of the Victoria Island property" β has the characteristics of a legitimate transaction and the financial scale that justifies attacker effort. BEC targeting Nigerian property transactions has resulted in losses in the tens of millions.
Oil and gas: Large regular payments to suppliers (boat operators, equipment providers, tanker contractors) for consistent amounts. An attacker who has studied the payment schedule can time an account-change instruction to land before the next payment cycle.
Import and FMCG supply chain: Payments to foreign suppliers for imported goods. The complexity of international payment instructions (SWIFT codes, correspondent banks, foreign exchange) creates an environment where small detail changes (different correspondent bank routing) are plausible and hard to verify quickly.
Professional services: Law firm, accounting firm, and consulting firm clients who receive payment instructions from their advisors.
The Technical Controls
Email Authentication: SPF, DKIM, DMARC
These three DNS-based email authentication protocols, when properly configured, prevent domain spoofing β attackers sending emails that appear to come from your domain.
SPF (Sender Policy Framework): A DNS record that specifies which mail servers are authorised to send email from your domain. An email from a server not listed in your SPF record can be flagged as suspicious.
DKIM (DomainKeys Identified Mail): A cryptographic signature in outbound email, signed with a private key, verifiable by the recipient's mail server against the public key in your DNS. Proves the email was sent by a party with access to your private key and has not been tampered with in transit.
DMARC (Domain-based Message Authentication, Reporting and Conformance): A policy layer on top of SPF and DKIM that tells receiving mail servers what to do with emails that fail SPF or DKIM β reject them, quarantine them, or allow them. DMARC also generates reports to the domain owner about emails claiming to be from their domain.
Implementing DMARC with a reject policy means that emails claiming to come from your-company.com that fail SPF and DKIM are rejected by the recipient's mail server before they reach the inbox. This prevents the most common domain spoofing attack.
Checking your current status: MxToolbox's DMARC lookup (https://mxtoolbox.com/dmarc.aspx) shows your current DMARC policy. If your DMARC is not set, or is set to p=none (monitoring only), you are not protected against domain spoofing.
DMARC for incoming email (anti-spoofing on supplier emails)
Your DMARC configuration prevents spoofing of your own domain. It does not prevent you from receiving spoofed emails that appear to come from your suppliers.
Email gateway filters that check DMARC alignment on incoming mail and flag emails from senders who have not set up DMARC β or who sent from an IP not in their SPF record β reduce the spoofing exposure on inbound email. Microsoft 365 and Google Workspace both provide this through their email security features, though configuration is required to activate full protection.
Multi-Factor Authentication on Email Accounts
Account compromise BEC requires gaining access to an email account. MFA on all email accounts is the primary prevention control.
Microsoft 365: enable MFA in the admin centre β requires Authenticator app or SMS code for every login from a new device. Google Workspace: same enforcement available in Admin console under Security > Authentication.
Conditional access policies: Further restrict email access to approved devices or approved geographic locations. A login to your CEO's email from a Nigerian IP is expected; a login from an IP in Eastern Europe at 3am should require additional verification.
The Procedural Controls
Technical controls prevent the initial attack vector; procedural controls prevent execution if the technical controls fail.
The phone verification rule: Any payment instruction received via email for a new beneficiary, a change to an existing beneficiary's account, or an unusual amount or urgency must be verified by telephone to a known number (not a number included in the suspicious email). This single procedure catches BEC regardless of how convincing the email is.
Dual authorisation for large transfers: No single person authorises transfers above a threshold. Two approvers with independent verification. The second approver asking "did you get this instruction from the same email?" catches the scenario where both were contacted but via different channels.
Beneficiary account change process: New beneficiary accounts and account changes go through a registration process β which includes phone verification to the supplier's known contact β with a cooling period of 48β72 hours before the new account can receive payment. Urgency requests that bypass this process are automatically suspect.
Email banner for external email: A visual banner on every email received from outside the organisation ("This email was sent from outside [Company]. Be cautious about clicking links or following payment instructions.") creates pause before acting on financial instructions.
Response When BEC Succeeds
BEC attacks sometimes succeed despite controls. When they do:
Act in minutes, not hours: Contact your bank immediately to request a payment recall. Domestic Nigerian bank transfers can potentially be recalled or frozen if reported within the same business day. International SWIFT transfers require correspondent bank cooperation and become harder to recover with each passing hour.
Report to authorities: EFCC, NFIU, and the NPF cybercrime unit all take BEC reports. Recovery is not guaranteed but is not impossible when reported promptly.
Engage the receiving bank: The EFCC has mechanisms to freeze accounts at receiving banks when fraud is promptly reported. Cooperation between complainant, EFCC, and both banks has succeeded in recovering BEC funds in documented Nigerian cases.
Document everything: The email thread, payment records, bank correspondence. This is evidence for both the recovery action and any subsequent legal proceedings.
The cost of implementing BEC controls β technical (DNS configuration, MFA β mostly configuration, not cost) and procedural (verification procedure, dual authorisation, cooling period) β is negligible relative to the cost of a single successful attack. The question for Nigerian businesses is not whether the controls are worth implementing but how quickly they can be deployed given the known attack frequency in their market.
Related Articles
- Fraud Detection Architecture for Nigerian Financial Applications β How to build layered fraud detection into financial applications, including the authorised push payment fraud that BEC exploits.
- From Reactive to Proactive: Security Automation That Pays for Itself β Automated threat detection controls, including impossible travel detection and failed authentication alerting, that catch account compromise early.
- Penetration Testing for Nigerian SMBs: What It Is, What It Costs, What You Get β How to assess your overall security posture, including the social engineering tests that evaluate staff resilience to BEC-style attacks.
Sources
- FBI Internet Crime Complaint Center (IC3), 2023 Internet Crime Report β BEC loss statistics and trend data. ic3.gov/AnnualReport
- Nigeria Financial Intelligence Unit (NFIU) β suspicious transaction reporting guidelines and BEC fraud documentation. nfiu.gov.ng
- Economic and Financial Crimes Commission (EFCC) β cybercrime prosecution and BEC recovery procedures. efcc.gov.ng
- DMARC.org β Domain-based Message Authentication specification and deployment guides. dmarc.org
- MxToolbox β free DMARC, SPF, and DKIM lookup tools referenced in implementation guidance. mxtoolbox.com/dmarc.aspx
- Microsoft 365 Security Documentation β MFA enforcement and conditional access policies. learn.microsoft.com/en-us/entra/identity
- Google Workspace Admin Help β two-step verification and email security configuration. support.google.com/a/answer/175197