Share on facebook
Share on twitter
Share on linkedin
Share on pocket
prevent a BEC attack

Business Email Compromise (BEC) attacks are a major cybercrime threat to Australian businesses. Our guide can help you better understand the nature and types of BEC attacks and provide advice on how to prevent a BEC attack in your business.

What is a BEC Attack?

According to the Australian Cyber Security Centre, Business Email Compromise (BEC) is an online scam where a cybercriminal impersonates another business representative to trick an employee, customer or vendor into transferring money or sensitive information to the scammer.

As these scams don’t often use malicious links or attachments, they can get past anti-virus programs and spam filters. These emails can include invoices or fines that may include threats to cancel your service or charge an excessive penalty if you don’t pay immediately.

This type of attack, due to the low implementation cost and high returns, is quickly becoming one of the fastest growing online business scams.

Australian businesses reported more than 5800 scams with losses exceeding $7.2 million in 2018, a 53 per cent increase compared to 2017, according to the ACCC’s Targeting Scams report.

Much of this increase is due to the $3.8 million reported lost to sophisticated ‘business email compromise’ scams. When combined with losses reported to the Australian Cybercrime Online Reporting Network, these scams cost Australian businesses over $60 million.

Criminals are constantly developing increasingly sophisticated BEC techniques that often include a combination of social engineering, email phishing, email spoofing and malware.

Types of BEC Attacks

  1. Invoice Scams

Attackers pretending to be suppliers issue fraudulent invoices for payments to an account owned by the fraudster.

  1. CEO Fraud

Attackers pose as the CEO or an executive and send an email to employees in finance, requesting them to send sensitive information or transfer money to an account the fraudster controls.

  1. Account Compromise

Email account compromise (EAC), also known as account hijacking, occurs when a senior-level employee’s account is hacked and used to request invoice payments to vendors listed in their account contacts. Payments are sent to fraudulent accounts.

  1. Lawyer Impersonation

Attackers pretend to be a solicitor or other law firm employee in charge of confidential and sensitive information.

  1. Data Theft

Human Resource or accounting employees are targeted to obtain personally identifiable information (PII) of employees to be used in future attacks.

How a BEC Attack Works

The goal of a scammer is to gain and abuse your trust. Rather than exploiting technical security, BEC attackers manage to compromise an organisation through exploiting this trust.

Imagine receiving an email from your boss asking you to wire money to someone or requesting highly sensitive information. How likely are you to engage and comply with the request?

Attackers can spend weeks or months gathering information about potential targets, including not only contact information, but also details of hobbies, and family members and friends. This makes it much easier to hijack accounts and impersonate employees.

How To Prevent a BEC Attack

The very nature of BEC scams makes it difficult for organisations to detect. This is why employee education and additional security awareness training in the following areas is key to identifying and avoiding BEC scams.

Always Verify The Source

Handle requests for money and sensitive information (especially extraordinary requests) cautiously, and with some skepticism.

Confirm Requests

If you are not 100% sure that the request is legitimate, confirm the request in person or via a phone call.

Think Before You Click

Think before you open a suspicious message or click on a suspicious link.

Be Cautious on Social Media

Social Media is a great source for data mining potential targets. Implement the safest privacy settings and limit the information you share.

Learn to Identify Phishing Emails

Signs of such attacks include poor spelling, bad grammar, clunky phrasing and poor formatting.

Senior Staff Need to Be Extra Vigilant

Executives and Managers are primary BEC targets, so they need to be extra cautious in both their professional and personal lives.

Always Follow Policy

Finance, data and privacy policies are there to protect the organisation and individuals. Always follow policy to minimise risks.

Conduct Regular Training

Every employee will benefit from such training!

Expert Cyber Security Advice and Strategy

For expert advice on protecting your business from cyber attacks, contact Surety IT today.

About the author:

Geoff Stewart

Geoff Stewart

Geoff Stewart is a highly experienced and skilled IT Challenger at Surety IT. His knowledge is based on years of industry experience having created customised, stable, well performing systems both for multi-national companies in the UK and Australia and Surety IT customers.

Surety IT’s mission is to address and overcome the 4 biggest problems businesses have with their IT systems and support which are: poorly performing systems, unreliable systems, unresponsive IT support and poor IT related advice.

We’ve developed a proprietary process that allows us to do that by: thoroughly understanding your business requirements, gaining an in-depth knowledge of your IT systems, identifying mission critical technology issues vital to your business performance and ensuring our ‘Solution Path’ process is specifically designed and tailored for you with value based solutions and support.

Give us a call or send us a message on our contact page to find out more about how we go about achieving these outcomes.

Scroll to Top