Recognising and preventing Business Email Compromise scams

Australian businesses lost over $7 million from email scams last year, with $3.8 million reportedly stolen due to ‘Business Email Compromise’ scams. These scams are hitting more and more Australian businesses with costly consequences.  How can you recognise a Business Email Compromise scam and what can you do to prevent falling victim to one?

What is a Business Email Compromise?

A ‘Business Email Compromise’ (or ‘BEC’) is where a scammer hacks a business email system and impersonates someone who is an intended payment recipient. The scammer requests changes to bank account details so that the business makes the payment to the scammer instead of the legitimate business.

How is a Business Email Compromise perpetrated?

  1. Using social media and web research, a scammer adopts the identity of a trusted supplier or employee, typically a senior manager or C-level executive. In some cases, the scammer may gain access to their UserID and password via a ‘free’ WiFi network, malware or exploiting a weakness in an app. They then use the hijacked name with a ‘lookalike’ email address and stolen brand imagery.
  2. Posing as a senior staff member, the perpetrator emails an employee at the target organisation – usually in finance, accounts payable or payroll – who has authority to pay cash, change bank details or access sensitive information. They often start by ‘grooming’ the employee to build rapport and create trust, before asking the employee to take action.
  3. Once the perpetrator establishes trust, they drive the employee to either provide a copy of the organisation’s finance manual (or similar) or make an ‘urgent’ electronic funds transfer (EFT) to a specific bank account, or change a valid supplier or employee’s bank account.
  4. Once the payment is made, this money is transferred or split across other banks, and then sent overseas or withdrawn from the compromised bank account of some other unsuspecting victim (as often seen in money laundering).

The theft is only discovered once the supplier or employee becomes aware that they haven’t received their payment, which can be after multiple payments. This gives the perpetrator time to siphon the funds off and makes recovery almost impossible. It usually leaves the victim with no recourse except to claim the theft on their insurance.

How businesses can mitigate these risks

These four strategies can protect your organisation from the consequences of a Business Email Compromise attack.

1. Educate and empower your employees

  • Employee awareness – Make your employees aware of BEC scams (and their many variants). Defences can fade over time, so provide your employees with training updates to build an ongoing resilient defence against emerging variants of these scams.
  • Policies and procedures – Check that your policies, procedures and controls are effective for mitigating these types of scams. For example, any request for money should be checked with a call to a known phone number. Possibly also send a follow-up email to a known email address to notify the supplier or employee.
  • Empowered employees – Empower your employees to embrace their ‘gut instinct’ and to check with a manager if they feel uncertain about a request, even if it appears to be coming from the CEO. This small amount of extra time is insignificant in comparison to the impact of a successful scam.

2. Secure your networks

  • Good security controls – Develop and maintain controls to prevent your network being exploited. Implement mitigation strategies particularly for computers used by your finance, human resources and senior executive teams.
  • Two factor identification – Scammers will often try to trick a user into supplying email login credentials to a fake website. These credentials will then be used to log in to the account and send out BEC content to your contacts. Use strong multi-factor authentication to prevent scammers from using your email login details.

3. Block emails coming from your own domain (spoofed)

  • Implement email sender validation controls to prevent others from spoofing your domain and help you technically identify a spoofed email.
  • Configure your email server to reject emails that do not originate from the email servers approved by the sender’s organisation.
  • Consider registering domains that look similar to your organisation’s domain (for example, replace letters such as “l” and “o” in your company name with digits such as “1” and “0”). This will help prevent malicious actors from using look-alike domains to spoof emails from your business.

4. Agree a Business Email Compromise incident response plan

Know how to respond if the ‘unthinkable’ occurs. It’s imperative to have a consistent incident response plan in place. Time is of the essence and every passing moment reduces the likelihood of the funds being recovered. Organisations that may need to be contacted include:

  • Your bank and the bank to whom the funds were transferred to see if the funds can be halted / returned.
  • Local law enforcement and the Australia Cybercrime Online Reporting Network to consider what criminal investigation may ensue.
  • Your organisation’s insurance company, assuming you have relevant insurance in place.

Lastly, whilst such a scam may bear the hallmarks of an external Business Email Compromise attack, any investigation should be conscious of the ‘Insider Threat’. There are examples where an attack has involved collusion or been entirely perpetrated by a staff member or vendor.

The Australian Cybersecurity Centre outlines other BEC attack variants, with useful links to further guidance on prevention.

Accru Felsers offers a range of audit & assurance services to help protect organisations from risk. If you would like to learn more, please contact your local advisor.

About the Author
Steven Zabeti , Accru Felsers Sydney
Steven communicates with his clients regularly, offering business support and practical solutions. He’s known for building good working relationships and providing consistent professional service with an entrepreneurial flair that adds value to engagements.