Get wise to the threat of Business Email Compromise [and CEO fraud] in the British Virgin Islands

23 Nov 2020

Guest article by Dainyah Mason, a barrister and BVI native

Google ‘phishing statistics’ every now and then and you’ll find one or two credible industry reports, plus a whole list of cyber security vendors publishing numbers that sound altogether out of reach. If the cost of this threat is so high, surely cyber criminals won’t target any organization who can’t afford the cost of the damage? 

“Unfortunately, the reality is quite different. Despite the lack of concrete numbers published on how often small and medium sized businesses are targeted with – and fall foul to – the most common cyber security threat out there, it certainly does happen, and is highly likely to happen to you.Dainyah

Legislation status in the BVI

The BVI has not yet enacted legislation to regulate data protection, however it’s expected that the BVI will follow international standards, and adopt legislation that reflects globally recognised standards. So, in the meantime we continue to operate under common law and contractual duties to assure confidentiality and privacy. In practice this means companies in the BVI must implement adequate protection and take reasonable steps to respect and protect information classified as confidential. 

It’s important to remember that the General Data Protection Regulation (GDPR) applies to the processing of personal data by a controller processor established outside the EU if their data processing activity relates to the offering of goods or services to individuals in the EU. So, businesses in the BVI that collect personal information belonging to EU citizens, or if you’re actively marketing services in the EU, may therefore be in scope and subject to the GDPR. Investment funds must ensure that any delegation of the processing of data by such service providers is being done in compliance with the GDPR.  

How to strengthen your resilience to phishing attacks

It’s not all bad news. Network security solutions provide some reassurance and at a basic level, firewalls, antivirus and email encryption must be used. However, when it comes to security threats that seek to exploit human behavior weaknesses, technical measures should never be relied on completely. Raising awareness and educating people on how to protect your business from social engineering attacks (and the potentially irreparable financial and reputational damage caused by a data breach) is a much wiser, and more affordable investment. 

What is Business Email Compromise?

It’s one of those labels for a type of phishing attack that, at a glance, sounds unfathomable to anyone who isn’t a self-professed cyber geek. In fact, it does exactly what it says on the tin. Business Email Compromise is the compromise of a business email account, or more specifically, an email exchange between colleagues. 

In 2019 alone, Business Email Compromise (BEC) scams accounted for more than half of all cybercrime losses—an estimated $1.77B. The average loss per BEC incident in 2019 was $74,723.


Once a cyber criminal has gained access to the company network in question, their next mission is to deploy malware or extract valuable information. To do this, they’ll infiltrate an old email thread between colleagues and quite simply drop in the malicious link, or ask directly for access to something sensitive. The sender and the subject appear familiar – and therefore trustworthy – to the victim, so without a second thought, they’ll usually do what’s asked of them.

And you can be assured that any cyber criminal who’s successfully broken in this way has already done a fair bit of digging around. With this insight, they know exactly who to target and when to catch someone out. Cyber security and threat intelligence analysts would go on to explain the most commonly used tactics and contexts, but for the purpose of purely protecting your company from the overall threat, we’ll skip that part. 

CEO Fraud      

CEO fraud is not a million miles from Business Email Compromise, and the two combined will achieve the highest payout for the fraudster. For clarity, CEO fraud doesn’t refer to an attempt to defraud the CEO. Instead, it’s when the attacker impersonates a CEO or high-level exec in order to steal funds or sensitive information from within the company. HR is a hot target in this instance, however the tactic works because the majority of people will do what their CEO (or senior management team) tells them to. So, anyone could be on the receiving end of CEO fraud.

This isn’t limited to email, either. Nowadays, we’re all comfortable with keeping in touch via text and instant messaging, and cyber criminals are certainly comfortable with exploiting any channel that gets them what they want. 

The median cost of a cyber event for a small to medium sized business (250-999 employees) is $200,000.

Hiscox Cyber Readiness Report 2020

Taking care of the threat

Taking care in this instance has never been such a multi-dimensional concept. And at Naq, we stand for taking care of people above all else. Let’s break it down.

What this means for business

The value of hard-earned reputation and the balance in your business account is arguably worth significantly more to small business owners than CEOs of multinational organizations. Because it’s years of effort and hard work that got you here. The brutal truth is that a cyber criminal has the power to undo it all overnight. And who else would a cyber attack impact if your website, email accounts, marketing channels were hacked? Leaving your doors open leaves your clients exposed to the risk, too. 

Onboarding with Naq is so quick and easy, the risk of disruption to business as usual is zero. The risk that your clients will feel better protected, too, strengthen their loyalty to do business with you, and that you’ll sleep easier knowing you’ve taken steps to minimise the chance of a breach, is high. But that’s something we think you’ll be willing to accept.

What this means for your team

The fundamental connection between these two types of threats is threefold. They both fall into the phishing category – but we’ve already agreed any more technical jargon here isn’t necessary. They both rely on exploiting human nature in a professional setting. And they both target employees. 

Education and encouraging the people who keep your business running to work together to protect your livelihood is proven to be the most effective approach to combating the ever-evolving cyber threat. Even more so if your core team consists of less than a thousand employees. In today’s highly connected world, consider our suite of concise learning modules as providing essential life skills that people can and will engage with far beyond their day job. 

What this means for you

Quantifying the cost of a data breach or a cyber attack for small and medium sized businesses is something the global cyber security industry needs to continue to shed light on. We’re determined to make an impact, so if you’d like to contribute to our 2021 report let us know

In the meantime, it feels easier to quantify the actual cost of attempting to address your cyber security responsibilities without the expertise and resource to do it effectively. Consider how much time you’re currently spending on knowing you need a better solution, and the associated stress and impact it’s having not only on the wellbeing of your business, but on your ability to focus on doing what you do best. Claim that time back, safe in the knowledge Naq has got your cyber security taken care of.