Business Email Compromise: The Cyber Scam Costing Caribbean Businesses Millions

By Gregory Lemmon | Managing Director, UBIQUITY Ltd
Cybersecurity & Disaster Recovery Consultants to the Caribbean

One Email. One Payment. One Costly Mistake.

Your finance manager receives what appears to be a routine email from your Managing Director.

The message is professional, urgent, and completely believable.

“Please process this payment today. I’m in meetings all afternoon, so I won’t be available by phone.”

The request isn’t unusual. The email address looks legitimate. The tone sounds exactly like your executive.

The payment is processed.

Only later does your team discover that the email never came from your Managing Director at all.

The money has already reached a criminal’s bank account.

This is Business Email Compromise (BEC), one of the fastest-growing forms of cybercrime affecting businesses worldwide. As Caribbean businesses continue to embrace digital operations, they are becoming increasingly attractive targets for these sophisticated attacks.

What Is Business Email Compromise?

Business Email Compromise is a cyberattack in which criminals impersonate trusted individuals—such as company executives, suppliers, or business partners—to trick employees into transferring money or sharing sensitive information.

Unlike traditional phishing emails filled with spelling mistakes and suspicious links, modern BEC attacks are carefully researched, professionally written, and often impossible to spot at first glance.

Cybercriminals don’t rely on malware. They rely on trust.

How a Business Email Compromise Attack Happens

Understanding the attack process is the first step in preventing it.

Step 1: Researching Your Business

Attackers gather publicly available information from:

  • Your company website
  • LinkedIn profiles
  • Social media accounts
  • News articles
  • Supplier information

Within hours, they can identify:

  • Company directors
  • Finance managers
  • Payment approval processes
  • Major suppliers
  • Employee email formats

Today’s cybercriminals often use Artificial Intelligence to speed up this research, making attacks more targeted than ever before.

Step 2: Creating a Convincing Fake Identity

The attacker may compromise an executive’s email account through phishing or simply register a lookalike domain.

For example:

yourcompany.com

becomes

yourcompany-bvi.com

At a quick glance, the difference is almost impossible to notice.

Step 3: Sending the Fraudulent Request

A carefully crafted email lands in your finance team’s inbox.

It requests:

  • An urgent wire transfer
  • A payment to a “new” supplier account
  • Updated banking details
  • A confidential financial transaction

The message often creates urgency while discouraging verification.
“I’m travelling today. Please handle this urgently.”

Step 4: The Payment Is Made

Because the request appears genuine, staff follow normal procedures.

No one realises anything is wrong until the legitimate executive asks about the payment sometimes days later.

By then, the funds have disappeared.

Why Caribbean Businesses Are Increasingly Targeted

Many Caribbean businesses are small or medium-sized enterprises with lean finance teams and limited cybersecurity resources.

Criminals know this.

They also know that businesses often work closely with international suppliers, remote teams, and overseas banking partners, making payment requests a routine part of daily operations.

This creates the perfect environment for Business Email Compromise.

According to the FBI’s Internet Crime Report, Business Email Compromise caused more than US$2.7 billion in reported losses during 2024, making it one of the costliest forms of cybercrime globally.

For Caribbean businesses, a successful attack can result in losses ranging from US$20,000 to US$150,000, money that is often impossible to recover.

Three Simple Controls That Stop Most BEC Attacks

The good news is that preventing Business Email Compromise doesn’t require expensive technology.

It requires consistent security practices.

1. Enable Multi-Factor Authentication (MFA)

Every business email account should be protected with Multi-Factor Authentication.

Even if passwords are stolen, MFA adds an extra layer of security that prevents attackers from accessing email accounts.

2. Introduce a Payment Verification Policy

Any payment above a predetermined amount should require verbal confirmation using a trusted phone number, not the contact information included in the email.

One quick phone call can prevent thousands of dollars in losses.

3. Train Employees Regularly

Technology alone cannot stop social engineering.

Employees should know how to identify:

  • Fake email domains
  • Unusual payment requests
  • Changes in banking details
  • Urgent messages requesting secrecy
  • Executive impersonation attempts

Regular cybersecurity awareness training helps employees recognise these warning signs before they become costly mistakes.

A Quick Security Checklist

Ask yourself these questions:

✔ Is Multi Factor Authentication enabled on every business email account?

✔ Do finance staff verify payment requests by phone?

✔ Are employees trained to recognise Business Email Compromise?

✔ Can staff identify fake email domains?

✔ Is there a documented payment approval process?

If you answered “No” to any of these questions, your business may be exposed to unnecessary risk.

Final Thoughts

  • Business Email Compromise succeeds because it targets people—not technology.
  • Cybercriminals understand how businesses operate, how trust is built, and how urgency influences decision-making.
  • The strongest defence isn’t expensive software.
  • It’s a combination of secure email accounts, clear payment verification procedures, and well-trained employees.
  • When these controls are in place, most Business Email Compromise attacks fail before they begin.
  • The best time to prepare is before the next suspicious email lands in your inbox.

Protect Your Business Before It Becomes the Next Target

At UBIQUITY Ltd, we help Caribbean businesses strengthen their cybersecurity through practical risk assessments, email security, employee awareness training, disaster recovery planning, and business continuity strategies.

If you’re unsure whether your organisation is protected against Business Email Compromise, now is the time to find out.

Book a Cybersecurity Assessment today and gain clarity on where your business may be vulnerable before attackers do.

📧 Email: glemmon@ubiquityltd.com
📞 Phone: +1 (284) 547-6754