BEC is the highest-value cybercrime category globally and a persistent threat to Hong Kong businesses. Fake payment instructions, supplier impersonation, and CEO fraud cause millions in losses annually — and most are preventable with the right controls.
Business Email Compromise (BEC) is a category of fraud in which attackers impersonate trusted parties in a business email exchange to redirect payments or extract sensitive information. Unlike opportunistic mass phishing, BEC attacks are researched and targeted: attackers understand the target organisation's payment processes, supplier relationships, and internal approval chains before launching the attack. BEC consistently tops the FBI's Internet Crime Complaint Center reports as the highest-loss cybercrime category globally, and it is among the most significant cyber threats to Hong Hong Kong Businesses: Implementation Guide">for Hong Kong Online Banking: What You Need to Know">for Hong Kong Online Banking: A Complete Guide">for Hong Kong SMEs: Where to Start">for Hong Kong Businesses">Kong businesses, particularly those in finance, trading, real estate, and professional services where large-value transactions are routine.
BEC attacks exploit the assumption that an email from a known sender can be trusted. In reality, email sender addresses can be spoofed, email accounts can be compromised, and lookalike domains can be registered that differ from the genuine domain by a single character. A finance controller receiving what appears to be an email from their CEO, their bank, or their major supplier requesting a payment change has no reliable way to verify the sender through the email itself — only out-of-band verification (a phone call to a known number) provides real assurance. This fundamental weakness of email-based business processes is what BEC exploits.
Hong Kong's position as a regional financial hub makes its businesses particularly attractive targets. The city hosts a large number of multinational companies' regional treasury and finance functions, conducts significant cross-border transactions with mainland China and Southeast Asia, and has a business culture where email-based payment instructions from senior management are common. The combination of high-value transactions, cross-border complexity, and established email-based processes creates ideal conditions for BEC attackers who focus on financial targets with the largest potential payoffs.
CEO fraud — also called whaling when the attacker impersonates the CEO — involves an email apparently from a senior executive to a finance or accounting employee, requesting an urgent, confidential wire transfer. The pretext is typically a time-sensitive business opportunity (an acquisition, a regulatory settlement, a confidential deal) that cannot be disclosed to others and must be executed outside normal approval processes. The urgency and confidentiality request are both manipulative elements: urgency prevents careful reflection, and confidentiality prevents the victim from consulting colleagues who might notice the irregularity. In Hong Kong, CEO fraud has resulted in multi-million dollar losses in documented cases involving both local and multinational companies.
Supplier and vendor payment diversion is a second major BEC type. The attacker impersonates a known supplier — using a spoofed or compromised email address — and notifies the target company that their banking details have changed, requesting that future payments be directed to a new account. If the company processes the instruction without out-of-band verification, subsequent legitimate invoice payments are redirected to the attacker. This attack type is particularly effective in Hong Kong's trade finance environment, where payment instructions from overseas suppliers are common and may not trigger the same verification scrutiny as domestic transactions. The fraud may not be detected until the genuine supplier chases payment, by which time multiple transactions may have been redirected.
Account compromise-based BEC is the most technically sophisticated variant: the attacker gains actual access to a legitimate business email account and monitors conversations over time, learning payment patterns, supplier relationships, and upcoming transactions. When a large payment is expected, the attacker inserts fraudulent payment instruction changes at the appropriate moment in an active email thread — appearing to be a genuine continuation of an established conversation. Because the email comes from a real, compromised account rather than a spoofed one, it passes all technical security checks. Detection requires noticing subtle changes in account behaviour or transaction pattern anomalies rather than email technical indicators.
The single most effective BEC prevention control is out-of-band verification for any payment instruction changes or unusual financial requests. This means calling the requestor on a previously known, verified phone number — not a number provided in the email — to confirm the instruction before processing. This control must be applied uniformly, including for apparent requests from the CEO, the CFO, or other senior figures whose authority employees are reluctant to question. The social pressure to comply with apparent senior management requests without verification is exactly what CEO fraud exploits; the protocol must explicitly state that out-of-band verification applies to all unusual payment requests regardless of apparent seniority of the requestor.
Dual-authorisation requirements for wire transfers above a threshold significantly limit the damage from successful BEC attacks. If two people must independently approve any transfer above HK$100,000, a single compromised account or deceived employee cannot complete the fraud alone. Supplement this with callback verification for any changes to existing payee banking details — any notification, however apparently routine, that a supplier or partner has changed their account number should trigger a call to the supplier on a number taken from your existing records (not from the email), confirming the change before it is processed. Real banking detail changes do happen; the protocol is not to refuse them but to verify them through a channel independent of the requesting email.
Technical controls include implementing DMARC, DKIM, and SPF on all corporate email domains to prevent external parties from spoofing your organisation's domain in attacks on your partners and customers. Enable email security features that flag external emails that appear to come from internal addresses — these catch a common technique where attackers use a display name matching an executive's name but with an external sending address. Multi-factor authentication on all corporate email accounts prevents account compromise-based BEC by making it significantly harder for attackers to gain persistent access to a monitored inbox even if credentials are phished.
If you discover a BEC fraud immediately after a wire transfer has been initiated, the most urgent action is to contact your bank's corporate fraud team directly and request an immediate recall of the transfer. International wire transfers processed through SWIFT have a finite processing window during which recall requests can intercept the payment before it is credited to the receiving account. This window varies by transaction route and may be as short as a few hours for some international transfers. Do not wait to investigate fully before making this call — contact your bank immediately and gather evidence simultaneously.
Report to the HKPF Cyber Security and Technology Crime Bureau at 182 388 as soon as possible, and contact the Anti-Deception Coordination Centre at 18222 — the ADCC has relationships with both Hong Kong and international banks that can facilitate emergency transaction holds in some circumstances. File a formal police report, as this documentation is required for civil recovery actions, insurance claims, and any regulatory notifications that may be required under your industry's rules. If the receiving bank account is in Hong Kong, the HKPF may be able to apply for a court-ordered freeze of the account more rapidly than if funds have already been forwarded abroad.
Conduct a post-incident investigation to determine how the attack succeeded and prevent recurrence. Examine email headers of the fraudulent message to determine whether it was a spoofed domain attack or whether a genuine account was compromised. If an account was compromised, change credentials, revoke sessions, enable MFA, and check the account's inbox rules — attackers frequently create email rules to forward copies of correspondence and delete fraud-related replies. Review your BEC prevention controls against the attack vector that succeeded and implement additional verification steps. Consider engaging a cybersecurity consultancy to conduct a full assessment of your email security posture and payment control environment.
