DO NOT HIT SEND
Last year Australian businesses lost $132 million to email scams. To reduce the risk of falling victim, follow these strategies.
Australia’s no. 1 scam: business email compromise
In 2019, Australians lost over $634 million to scams. At $132 million, business email compromise (BEC) scams accounted for the highest losses, according to the Australian Competition and Consumer Commission’s Targeting Scams 2019 report. There was also a 120% increase in losses over 2018, with the most financially damaging BEC scams involving invoices between businesses, suppliers or individuals being intercepted and amended with fraudulent banking details. BEC resulted in an average loss of $11,398, but some businesses lost up to $200,000.
Also known as ‘whaling’ or ‘CEO Fraud’, BEC is a form of email fraud that uses social engineering to impersonate trusted identities and trick people into sending money or valuable information.
BEC scams involve targeted phishing and hacking of a business as malicious actors target human weaknesses and the trust employees place in email communication. Typically, the fraudster takes on a trusted identity within the business or impersonates a third-party relationship, such as a business partner or vendor. They may send emails to the business’ clients requesting payment to a fraudulent account, often by manipulating legitimate invoices to include fraudulent account details. They may also impersonate a supplier by intercepting legitimate invoices and changing them to include fraudulent payment details before releasing to the intended recipient. Or impersonate senior company managers requesting staff action money transfers for a supposedly legitimate business purpose. They may even impersonate a staff member and request a change to their ordinary payment account.
These scams affect businesses, suppliers and individuals by tricking people into paying invoices to scammers’ bank accounts instead of the legitimate account. Cybercrims are using increasingly sophisticated techniques that often include a combination of social engineering, email spoofing and malware.
What can businesses do to limit the risk of falling victim to BEC attacks? Follow these strategies:
- Take a ‘defence in depth’ approach to cyber security
- Install anti-spam, anti-virus and malware detection. Implement a solution that detects advanced and evasive keylogging and other malware used by BEC.
- Use email authentication such as Domain-based Message Authentication, Reporting and Conformance (DMARC) which ensures legitimate emails are properly authenticated against established DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards, and that fraudulent activity spoofing domains under the business’ control are blocked.
- Use an email security solution that can flag certain keywords that are commonly used in BEC attacks, such as “payment” (found in 30% of BEC attacks), “urgent” (21%) or “request” (21%).
- Identify and block emails from lookalike domains (e.g. www.ato.g0v.au).
- Consider registering all domain names similar to the company name to help combat typosquatting.
- Set up protocols, policies and procedures for verifying and paying accounts
- Use multifactor authentication for any release of funds. Consider a procedure where two different people need to authorise a payment.
- Make sure that a formal payment or transfer process is documented and well communicated with the entire office. Provide clarity around who in the business is authorised to request financial transactions (type, value etc.) and who can action them.
- Ensure any request for payments, transfers etc. is confirmed directly with the requester (in person, via phone or by creating a new email and sending to the address stored in the system – never replying to the email received).
- Analyse the content and context of email messages. Examine the sender or reply-to address and check it hasn’t been sent from a spoof domain. Be alert for strange sentence structure or phrasing uncommon to the apparent sender. Consider the sender and receiver reputations and relationship history to help validate the message.
- Educate staff
- Ensure all employees are aware of the formal transfer procedure in place and what to do if they ever receive unusual requests.
- Train employees to recognise phishing emails and scams.
- Remind those paying accounts/transferring monies that account credentials and passwords should never be provided in response to emails but rather should be entered directly inside bank apps or internet banking.
- Invest in a Cyber Liability insurance policy. Talk to your EBM Account Manager about cyber risk mitigation and the insurance products available to help protect the business’ finances and reputation in the event of a cyber incident.
Share this article: