Business Email Compromise (BEC) attacks are a major cybercrime threat to Australian businesses. Our guide can help you better understand the nature and types of BEC attacks and provide advice on how to prevent a BEC attack in your business.
What is a BEC Attack?
According to the Australian Cyber Security Centre, Business Email Compromise (BEC) is an online scam where a cybercriminal impersonates another business representative to trick an employee, customer or vendor into transferring money or sensitive information to the scammer.
As these scams don’t often use malicious links or attachments, they can get past anti-virus programs and spam filters. These emails can include invoices or fines that may include threats to cancel your service or charge an excessive penalty if you don’t pay immediately.
This type of attack, due to the low implementation cost and high returns, is quickly becoming one of the fastest growing online business scams.
Australian businesses reported more than 5800 scams with losses exceeding $7.2 million in 2018, a 53 per cent increase compared to 2017, according to the ACCC’s Targeting Scams report.
Much of this increase is due to the $3.8 million reported lost to sophisticated ‘business email compromise’ scams. When combined with losses reported to the Australian Cybercrime Online Reporting Network, these scams cost Australian businesses over $60 million.
Criminals are constantly developing increasingly sophisticated BEC techniques that often include a combination of social engineering, email phishing, email spoofing and malware.
Types of BEC Attacks
- Invoice Scams
Attackers pretending to be suppliers issue fraudulent invoices for payments to an account owned by the fraudster.
- CEO Fraud
Attackers pose as the CEO or an executive and send an email to employees in finance, requesting them to send sensitive information or transfer money to an account the fraudster controls.
- Account Compromise
Email account compromise (EAC), also known as account hijacking, occurs when a senior-level employee’s account is hacked and used to request invoice payments to vendors listed in their account contacts. Payments are sent to fraudulent accounts.
- Lawyer Impersonation
Attackers pretend to be a solicitor or other law firm employee in charge of confidential and sensitive information.
- Data Theft
Human Resource or accounting employees are targeted to obtain personally identifiable information (PII) of employees to be used in future attacks.
How a BEC Attack Works
The goal of a scammer is to gain and abuse your trust. Rather than exploiting technical security, BEC attackers manage to compromise an organisation through exploiting this trust.
Imagine receiving an email from your boss asking you to wire money to someone or requesting highly sensitive information. How likely are you to engage and comply with the request?
Attackers can spend weeks or months gathering information about potential targets, including not only contact information, but also details of hobbies, and family members and friends. This makes it much easier to hijack accounts and impersonate employees.
How To Prevent a BEC Attack
The very nature of BEC scams makes it difficult for organisations to detect. This is why employee education and additional security awareness training in the following areas is key to identifying and avoiding BEC scams.
Always Verify The Source
Handle requests for money and sensitive information (especially extraordinary requests) cautiously, and with some skepticism.
If you are not 100% sure that the request is legitimate, confirm the request in person or via a phone call.
Think Before You Click
Think before you open a suspicious message or click on a suspicious link.
Be Cautious on Social Media
Social Media is a great source for data mining potential targets. Implement the safest privacy settings and limit the information you share.
Learn to Identify Phishing Emails
Signs of such attacks include poor spelling, bad grammar, clunky phrasing and poor formatting.
Senior Staff Need to Be Extra Vigilant
Executives and Managers are primary BEC targets, so they need to be extra cautious in both their professional and personal lives.
Always Follow Policy
Finance, data and privacy policies are there to protect the organisation and individuals. Always follow policy to minimise risks.
Conduct Regular Training
Every employee will benefit from such training!
Expert Cyber Security Advice and Strategy
For expert advice on protecting your business from cyber attacks, contact Surety IT today.