Move over ransomware – business email comprise has business owners concerned
A cybercrime was reported every six minutes and cost small businesses an average of $46,000 last financial year. The Australian Signals Directorate (ASD) says incidents surged 23% in 2022-23 and the cost to small businesses was up 53% from 2020-21.
The ASD’s Cyber Threat Report 2022-2023 found the costs for medium-sized enterprises averaged $97,000 in FY23, with large businesses less financially impacted, with an average cost of $72,000.
While ransomware remains the most destructive cybercrime threat, the ASD noted that the top crimes reported by Australian businesses were business email compromise (BEC) and BEC-related fraud.
BEC is an effective technique which enables cybercriminals to exploit trust in business processes and relationships for financial gain. Cybercriminals can compromise the genuine email account of a trusted sender, or impersonate a trusted sender, to solicit sensitive information, money or goods from business partners, customers or employees.
A popular way BEC fraud is committed is by gaining access to the email account of a business and sending an invoice with new bank account details to a customer of that business. The customer pays the invoice using the fraudulent bank account details – with the fraud often only detected after a customer has paid the cybercriminal.
It is also lucrative. In FY23, the total self-reported BEC losses to ReportCyber was almost $80 million. More than 2,000 reports were made with an average financial loss of over $39,000.
According to the FBI’s Internet Crime Complaints Center, globally, BEC schemes have grown 2,370% since 2015 – with the scams involving US$5.3 billion in actual and attempted losses.
In light of these alarming statistics, it is crucial for businesses to be proactive in safeguarding email communication from BEC scams.
Tips to reduce the risk of your business falling victim include:
Security measures
- Adopt a strong password policy – requiring employees to use and periodically change complex passwords or passphrases.
- Turn on multi-factor authentication for business email accounts – this type of authentication requires multiple pieces of information to log in, such as a password and a dynamic pin, code, or biometric which makes it more difficult for a cybercriminal to gain access to employee emails.
- Install email filters, anti-virus, anti-spam and malware detection software – use a solution that detects advanced and evasive keylogging and other malware used by BEC. These can help detect and block malicious emails before they reach the user’s inbox.
- Establish strict approval procedures for financial transactions – including verifying the requestor’s identity and confirming the request’s validity through multiple channels such as phone, email and in-person.
- Set up automatic labelling of external emails to help prevent the impersonation of employees.
- Register additional domain names – domain spoofing uses slight variations in legitimate email addresses to deceive BEC victims. Registering domain names similar to yours can help protect against email spoofing.
- Protect domain names – if your domain name expires, it will become available for anyone to purchase. Remember to renew your domain names, even if you don’t use them anymore.
- Set up email authentication protocols for business domains – talk to your service provider about adding authentication such as Domain-based Message Authentication, Reporting and Conformance (DMARC) which ensures legitimate emails are properly authenticated against established DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) standards.
- Monitor email traffic and usage – this can help identify unusual patterns or behaviours indicating a BEC attack.
Procedures and protocols
- Implement policies and protocols for email communication.
- Use multifactor authentication for any release of funds. Consider a procedure where two different people need to authorise a payment.
- Consider introducing an approval process for requests that involve large transfers.
- Standardise validation for payments and account changes with your customers and business partners.
- Create controls for the validation of new or revised payment information including account or contact information changes.
- Make sure that a formal payment or transfer process is documented and communicated well with the entire office. Provide clarity around who in the business is authorised to request financial transactions (type, value etc.) and who can action them.
- Ensure any request for payments, transfers or any other transactions are confirmed directly with the requester – provide employees with clear guidance on how to verify account details and to think critically before actioning unusual requests.
- Have a process to report (and escalate) threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
Employee education and awareness
- Train employees to recognise phishing emails, fake domains and other social engineering tactics cybercriminals often use.
- Ensure employees understand and follow the procedures for verifying requests for money transfer or sensitive information.
- Regularly educate your executives and payments staff about BEC and how they can prevent it.
- Remind employees paying accounts/transferring monies that account credentials and passwords should never be provided in response to emails but rather should be entered directly inside bank apps or internet banking.
- Ensure employees know to always be cautious of emails with:
– requests for money, especially if urgent or overdue
– bank account changes
– attachments, especially from unknown or suspicious email addresses
– requests to check or confirm login details, or
– unexpected or suspicious links. - Provide ongoing security training including basics such as:
– Not opening any email from unknown parties. If they do, they shouldn’t click on links or open attachments as these often contain malware that accesses your computer system.
– Double-checking the sender’s email address. A spoofed email address often has an extension similar to the legitimate email address. For example, a fraudulent jsmith@your_company.com.au instead of the legitimate jsmith@your-company.com.au.
– “Forward”ing and not “reply”ing to business emails. By forwarding the email, the correct email address has to be manually typed in or selected from the address book. Forwarding ensures the intended recipient’s correct e-mail address is used.
– Always verifying before sending money or data. - Train employees to analyse the content and context of email messages – for example, examining the sender or reply-to address and checking it hasn’t been sent from a spoof domain; and being alert for strange sentence structure or phrasing uncommon to the apparent sender.
- Help employees understand sender and receiver reputations and relationship history to help validate the message. Knowing your customers’ and vendors’ habits can help identify fraudulent requests.
- Provide guidance on protecting privacy – cybercriminals can learn a lot about someone by doing a simple Google search and using this information helps them appear more credible if they pretend to be that employee in an email. Caution employees about posting information online that identifies where they work, what their position is, or their email addresses.
It is also important to safeguard your business with the right cyber insurance policy. Talk to your EBM Account Manager about policy options to help protect the business’ finances and reputation in the event of a BEC incident.