Business email compromise (BEC) is one of the most common forms of cyber attack. And it’s hurting our businesses. Last year, the Australian Cyber Security Centre reported an increase in financial losses due to business email compromise to over $98 million – at an average loss of $64,000 per incident.
Managing cyber security may appear overwhelming on top of everything else you have to do. But there are some simple steps you can take to help keep your business secure. In this article we help you understand what business email compromise is, showcase some tricks scammers use to deceive people and explain how you can build a stronger cyber security culture.
Business email compromise (BEC) is a type of scam where criminals attempt to trick businesses into wiring payments into their bank accounts or disclosing sensitive information.
It takes different forms. In some BEC attacks, criminals gain access to email accounts and attempt to trick staff, customers, or suppliers into making payments or divulging confidential company information.
Scammers often conduct these attacks by breaching email accounts using stolen credentials or guessable passwords.
But in many cases criminals need not steal credentials for business email accounts; a swiped social media login could work if the victim uses the same password. And research from YouGov revealed that almost 80 percent of people use the same password across more than one account.
Anyone in an organisation can fall victim to BEC scams, but certain groups more likely to be targeted:
With email being the most common entry point for all cyber attacks, here are four types of business email compromise to look out for.
The scammer pretends to be from a supplier requesting payment for services. In this type of cyber attack, a realistic or identical company invoice template is used, but the bank account information has been changed to one held by the scammer.
A scammer assumes the digital identity of a company leader, instructing an employee to take some form of action. One of the most common is to request the purchase of digital gift cards as a ‘bonus’ for an internal team.
Having gained control of a staff member’s email account, such as someone working in finance, the scammer could, for example, contact customers to demand payment of overdue invoices and direct payments into a bank accounts they own.
Some business email compromise attacks aim to steal data. Hackers are occasionally ‘hired’ to steal highly sensitive company information, such as intellectual property, which they can attempt to obtain using compromised privileged email accounts.
The risk of reputation damage and loss of money can be reduced through a few simple actions:
Cyber security training and building a strong cyber culture is one of the most effective defences against business email compromise attacks. Put your people through cyber security training to enable them to identify and respond to these forms of cyber attacks.
Here, two or more methods are used to authenticate people, and usually through a personal item such as a mobile phone. In addition to entering your password, people are required to enter a code or PIN generated on their phone.
Validating the accuracy of bank account information over the phone with a supplier or customer prior to making a significant payment can help identify fraudulent invoices. This validation should not be made over email.
Business email compromise is a form of phishing, so it’s important to be vigilant in spotting potential scams targeting your business. And using an anti-phishing solution can help protect your business from a cyber attack or data breach. These solutions are designed to identify the common traits associated with business email compromise.
Reviewing the devices that are currently logged into an email account can help identify suspicious access. Any logged in devices no longer in use should be removed.
If you succumb to a data breach, the last thing you need is panic in the aftermath. You should know in advance what to do if you’re targeted by cyber crime by crafting an incident response plan. This helps you understand the steps you need to take to not only prepare for, but to detect, contain, and recover from a cyber attack.
There are plenty of ways in which you can help protect your business from cyber attack and business email compromise, however these are considered the very minimum you should implement to help safeguard your reputation and keep scammers from stealing money.
YouGov conducted research online between 6-7 February 2023, sample comprised of 1,011 Australians 18 years and older. All figures, unless otherwise stated, are from YouGov Plc. Total sample size was 1011 adults. Fieldwork was undertaken between 6th – 7th February 2023. The survey was carried out online. The figures have been weighted and are representative of all Australian adults (aged 18+).
By signing up for Cyber Wardens, a program from the Council of Small Business Organisations of Australia (COSBOA) that aims to educate businesses like yours on how to help fight online threats.
Learn how to choose the right technology solutions. Get help to boost efficiency, build skills, and integrate tech.
