Communication and document flows should be designed with fraud in mind instead of bolting on controls after the fact
Business Email Compromise (BEC) has become one of South Africa’s fastest-growing cyber-fraud risks, with more than seven million phishing attempts logged locally in 2023 alone.
According to PwC’s 2024 Digital Trust Insights survey, 38% of South-African executives rank Business Email Compromise among their top three cyber threats, well above ransomware. Often, a major vulnerability is the way high-value transactions still rely on unprotected email threads, loose identity checks and manual document hand-offs. “BEC thrives on workflow weakness. Until organisations think about communication and signing journeys with fraud in mind, criminals will keep finding a way in,” explains Bobby Stewart, Product Owner at leading digital transformation partner, e4.
Property and legal transactions are prime targets for BEC attacks because they move large sums, involve multiple parties and depend on trust. Just one example is a case where a homeowner believed he was applying for additional financing but unwittingly signed bond-cancellation papers instead. “That sort of attack has nothing to do with firewalls and strong passwords. It happens when identity isn’t verified and signed documents are sent back and forth via email,” notes Stewart.
Traditional controls like antivirus, email security protocols and staff awareness training are still important and necessary, but they often sit outside the flow of work. Interpol’s 2024 African Cyber-Threat Assessment report warns that BEC combines social-engineering finesse with just enough tech to slip through front-line filters. By the time a homeowner notices fraudulent bank details or a conveyancer double-checks a PDF attachment, the funds may have already moved. “Standard email was never designed for multi-million-rand authorisations,” adds Stewart.
Building the right controls into everyday tasks
A modern, fraud-resistant workflow starts long before a payment instruction is sent. Best practice should be to bring all parties involved in high-value transactions, such as banks, attorneys and buyers in property transactions, into a closed, authenticated space where they can register securely, share documents through end-to-end encryption, and track progress in real-time. Each message, file and banking detail is stored in an immutable archive, while milestone alerts show exactly when a deed pack is uploaded, a signature applied or funds released. “When those safeguards are baked into the way people communicate most of the BEC entry points are taken care of,” says Stewart, adding that e4’s CommunicationHub was architected around these very principles.
Replacing email chains with controlled links helps block impersonation attempts. It also automates tedious manual checks. “There’s no need for anyone to stitch up email threads and every party on the transaction enjoys greater transparency and peace of mind. A secure communication hub means organisations and their customers can move sensitive information and documents off insecure channels and into a controlled environment,” says Stewart.
Since BEC losses show no signs of slowing, Stewart says organisations should rethink how to secure their communication and workflows. Start by mapping every step of a high-value transaction, from identity capture, document generation, signing, hand-off, and ask which of those steps still relies on inbox trust. Then redesign the flow so authenticated platforms move the data. That is how you turn a soft target into a hard one.”
