// Threat Brief

BUSINESS EMAIL COMPROMISE: AFRICA'S MOST EXPENSIVE ATTACK

Threat Brief6 min readBy the Serensic SOC Team

No malware, no zero-day, no dramatic breach alert. Business email compromise is the quietest attack in the threat landscape — and across East Africa it is also the most financially devastating.

# WHAT BEC ACTUALLY LOOKS LIKE

Business email compromise (BEC) is a social engineering attack in which a criminal impersonates a trusted party — a CEO, a supplier, a lawyer — to trick an employee into transferring money or sensitive data. There is rarely any technical exploit involved. The attacker simply abuses trust and process gaps.

The most common variants we see across the region:

CEO fraud — a finance officer receives an urgent "instruction" from the managing director to wire funds before close of business.
Invoice fraud — a genuine supplier's email is spoofed or compromised, and "updated banking details" redirect a legitimate payment to the attacker.
Payroll diversion — an employee's HR record is altered via a convincing email request, rerouting salary payments.

Why East Africa is a prime target

High reliance on email-driven payment authorization, fast-growing SME and banking sectors, mobile-money rails that move funds instantly, and limited security awareness training combine to make the region especially exposed. Once money leaves via instant transfer, recovery is often impossible.

# WHY TECHNOLOGY ALONE DOESN'T STOP IT

Because BEC frequently involves no malicious attachment or link, traditional antivirus and even many email-filtering tools never raise a flag. The email is, technically, just an email. Defending against it requires a combination of technical controls, process design, and a trained workforce.

# THE LAYERED DEFENSE THAT WORKS

1. Email authentication

Implement SPF, DKIM and DMARC with an enforcing policy. This prevents attackers from spoofing your own domain and dramatically reduces lookalike abuse.

2. Out-of-band verification

Mandate a second channel — a phone call to a known number — for any change of banking details or any transfer above a defined threshold. No exceptions, regardless of how senior the request appears.

3. Advanced email security

Deploy gateway controls that detect display-name spoofing, newly registered lookalike domains, and anomalous sender behavior — the signals that pure spam filters miss.

4. Continuous awareness training

Run realistic phishing and BEC simulations and coach the people who fall for them. The finance and procurement teams are your highest-value targets and need the most practice.

How Serensic helps

Our Managed SOC monitors for the account-takeover signals that precede BEC, our consultants harden your email authentication and payment processes, and Serensic Academy runs the awareness programs that turn your finance team into a human firewall.

WORRIED ABOUT INVOICE FRAUD?

Request a BEC readiness review — a specialist responds within 24 hours.

Get More Info