The email looked like every other email from their IT software supplier. Same formatting. Same sign-off. The right contact name, the right invoice number, even a reference to a previous conversation. The only thing different was one letter in the email address.
One letter. R380,000.
This is the account of a Durban accounting firm that processed a fraudulent payment in late 2025. Names and identifying details have been changed, but the sequence of events is real. We worked with them during the breach response.
What happened
The firm, which handles payroll, tax, and financial reporting for around 40 SME clients in KwaZulu-Natal, received an email from what appeared to be their monthly software subscription provider. The email notified them of a banking detail change and included a new account number for future payments, along with a correctly formatted EFT reference.
The accounts administrator processed the payment request the following morning. The payment was for R380,000, covering a bulk annual licence renewal. It went to the fraudulent account within minutes of being submitted.
The attacker had done their homework. They had monitored email communications between the firm and the legitimate supplier over several weeks, likely by accessing either the firm's inbox or the supplier's. They timed the fraudulent email to coincide with a real invoice period. They used a domain that looked almost identical to the supplier's, changing one character in the middle of the address. The difference was not visible in the sender display name, only in the email header.
By the time the firm's director noticed the discrepancy the following afternoon, the funds had already been moved through two accounts.
What business email compromise is and why SA is a growing target
Business email compromise (BEC) is a category of fraud in which an attacker impersonates a legitimate email correspondent, usually a supplier, senior manager, or trusted partner, to trick a business into transferring money or sharing sensitive information.
INTERPOL's Africa Cyberthreat Assessment identifies BEC as one of the highest-impact financial crimes targeting South African businesses. SABRIC's annual fraud data consistently places business email fraud among the top three mechanisms for corporate financial loss in the country.
South Africa is a high-value target for several reasons. English is a primary business language, which removes one common friction point for attackers operating from other countries. The SME sector is large and most businesses in it do not have dedicated IT security. Many rely on standard webmail with no monitoring, no domain authentication controls, and no payment verification procedures.
The attack does not require sophisticated hacking skills. It requires patience, observation, and one convincing email.
The tell: what the firm missed and how to spot it
The fraudulent email came from: [email protected]
The real supplier's domain was: [email protected]
The addition of -za was invisible in the display name and easy to miss in a busy inbox. The attacker had registered a near-identical domain weeks before launching the attack.
There were other signs that, in hindsight, warranted a second look. The email arrived on a Friday afternoon, a known attacker preference because urgency is easier to manufacture before a weekend. The email mentioned that the banking detail change was due to a "routine audit requirement," which sounds plausible but is not a real thing suppliers typically reference. The email explicitly asked the firm not to confirm the change by phone because the "accounts team is overwhelmed this week."
That last instruction is a red flag in isolation. Legitimate suppliers do not ask you to skip your verification procedures.
What Ubuntu Guard did during the breach response
The firm contacted us within 18 hours of identifying the fraud. By that point, our primary focus was on three things: understanding how the attacker accessed the email chain, containing any further exposure, and building a timeline for the bank and SAPS.
Email header analysis showed that the firm's inbox had not been compromised. The more likely access point was the supplier's side, where a credential was exposed and used to read correspondence without triggering any alerts. The firm had no way to detect or prevent this on their own.
We worked with the firm to implement DMARC, SPF, and DKIM records on their domain, which means that emails sent fraudulently using their domain are now flagged or rejected by receiving mail servers. We also reviewed their payment authorisation procedures and identified three process changes that would have caught this attack.
Outcome: partial recovery
The firm reported the fraud to SAPS and submitted a formal complaint to their bank's fraud unit within 24 hours of discovery. The bank initiated a recall request. Because one of the receiving accounts was held at a local bank and had not yet been fully cleared, a partial recovery of approximately R95,000 was possible. The remaining R285,000 was not recovered.
Recovery in BEC fraud depends almost entirely on how quickly you act. Funds that reach a mule account and are moved again, often within hours, are very difficult to trace. The faster you notify your bank and SAPS, the better the odds.
How to protect your business
Three changes would have prevented this attack entirely.
Implement a verbal confirmation rule for any banking detail change. Before your team processes a payment to a new or recently changed account, they must speak to a verified contact at the payee on a number sourced independently, not from the email requesting the change. This is non-negotiable.
Set up DMARC on your business email domain. DMARC is a free DNS record that tells receiving mail servers what to do with emails that fail authentication checks. At a minimum, it prevents your own domain from being spoofed. It does not stop an attacker using a lookalike domain, but it closes one major attack vector. If you do not know whether your domain has DMARC, check it at /business-trust-check.html.
Train your staff to verify before they process. One short training session covering BEC, invoice fraud, and payment authorisation procedures can make the difference. An employee who knows to look for subtle domain differences and who knows to call before paying is your most effective defence.
If you want to assess your current exposure, start with a cybersecurity assessment at /services/cybersecurity-assessment/. If your staff need BEC training, we offer it at /services/cyber-awareness-training/.
Get in touch at [email protected].
Sources: - INTERPOL: INTERPOL Africa Cyberthreat Assessment Report 2025 (Published: May 2025) - SABRIC: SABRIC Annual Crime Statistics 2024 (Published: September 2025)
© 2026 Ubuntu Guard Cybersecurity | Durban, South Africa ubuntuguard.co.za