How to help prevent business email compromise

Business email compromise (BEC) is one of the most common forms of cyber attack. And it’s hurting our businesses. Last year, the Australian Cyber Security Centre reported an increase in financial losses due to business email compromise to over $98 million – at an average loss of $64,000 per incident.

Managing cyber security may appear overwhelming on top of everything else you have to do. But there are some simple steps you can take to help keep your business secure. In this article we help you understand what business email compromise is, showcase some tricks scammers use to deceive people and explain how you can build a stronger cyber security culture.

Business email compromise explained

Business email compromise (BEC) is a type of scam where criminals attempt to trick businesses into wiring payments into their bank accounts or disclosing sensitive information.

It takes different forms. In some BEC attacks, criminals gain access to email accounts and attempt to trick staff, customers, or suppliers into making payments or divulging confidential company information.

Scammers often conduct these attacks by breaching email accounts using stolen credentials or guessable passwords.

But in many cases criminals need not steal credentials for business email accounts; a swiped social media login could work if the victim uses the same password. And research from YouGov revealed that almost 80 percent of people use the same password across more than one account.

Most likely business email compromise targets

Anyone in an organisation can fall victim to BEC scams, but certain groups more likely to be targeted:

• Company leaders hold both data and influence making them lucrative targets for BEC scammers. Information about them is often available on company websites.
• Financial controllers and accounts payable staff have information about company bank details, as well as the power to authorise payments.
• Human resources (HR) professionals have access to employee records containing sensitive personal information such as tax file numbers. 
• New employees may be more susceptible to BEC manipulation and may have less exposure to formal cyber security training.

Types of business email compromise cyber attack

With email being the most common entry point for all cyber attacks, here are four types of business email compromise to look out for.

False invoicing 

The scammer pretends to be from a supplier requesting payment for services. In this type of cyber attack, a realistic or identical company invoice template is used, but the bank account information has been changed to one held by the scammer.

Senior leader impersonation 

A scammer assumes the digital identity of a company leader, instructing an employee to take some form of action. One of the most common is to request the purchase of digital gift cards as a ‘bonus’ for an internal team. 

Account compromise

Having gained control of a staff member’s email account, such as someone working in finance, the scammer could, for example, contact customers to demand payment of overdue invoices and direct payments into a bank accounts they own.

Data theft

Some business email compromise attacks aim to steal data. Hackers are occasionally ‘hired’ to steal highly sensitive company information, such as intellectual property, which they can attempt to obtain using compromised privileged email accounts.

Ways to protect against business email compromise attacks

The risk of reputation damage and loss of money can be reduced through a few simple actions:

Employee education and cyber security training

Cyber security training and building a strong cyber culture is one of the most effective defences against business email compromise attacks. Put your people through cyber security training to enable them to identify and respond to these forms of cyber attacks.

Multifactor authentication

Here, two or more methods are used to authenticate people, and usually through a personal item such as a mobile phone. In addition to entering your password, people are required to enter a code or PIN generated on their phone.

Payment validation

Validating the accuracy of bank account information over the phone with a supplier or customer prior to making a significant payment can help identify fraudulent invoices. This validation should not be made over email.

Cyber security solutions

Business email compromise is a form of phishing, so it’s important to be vigilant in spotting potential scams targeting your business. And using an anti-phishing solution can help protect your business from a cyber attack or data breach. These solutions are designed to identify the common traits associated with business email compromise.

Review logged in email sessions

Reviewing the devices that are currently logged into an email account can help identify suspicious access. Any logged in devices no longer in use should be removed.

Incident response plan

If you succumb to a data breach, the last thing you need is panic in the aftermath. You should know in advance what to do if you’re targeted by cyber crime by crafting an incident response plan. This helps you understand the steps you need to take to not only prepare for, but to detect, contain, and recover from a cyber attack.

There are plenty of ways in which you can help protect your business from cyber attack and business email compromise, however these are considered the very minimum you should implement to help safeguard your reputation and keep scammers from stealing money.

YouGov conducted research online between 6-7 February 2023, sample comprised of 1,011 Australians 18 years and older. All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 1011 adults. Fieldwork was undertaken between 6th – 7th February 2023. The survey was carried out online. The figures have been weighted and are representative of all Australian adults (aged 18+).