How To Prevent a BEC Attack

Business Email Compromise (BEC) attacks are a major cybercrime threat to Australian businesses. Our guide can help you better understand the nature and types of BEC attacks and provide advice on how to prevent a BEC attack in your business.

What is a BEC Attack?

According to the Australian Cyber Security Centre, Business Email Compromise (BEC) is an online scam where a cybercriminal impersonates another business representative to trick an employee, customer or vendor into transferring money or sensitive information to the scammer.

As these scams don’t often use malicious links or attachments, they can get past anti-virus programs and spam filters. These emails can include invoices or fines that may include threats to cancel your service or charge an excessive penalty if you don’t pay immediately.

This type of attack, due to the low implementation cost and high returns, is quickly becoming one of the fastest growing online business scams.

Australian businesses reported more than 5800 scams with losses exceeding $7.2 million in 2018, a 53 per cent increase compared to 2017, according to the ACCC’s Targeting Scams report.

Much of this increase is due to the $3.8 million reported lost to sophisticated ‘business email compromise’ scams. When combined with losses reported to the Australian Cybercrime Online Reporting Network, these scams cost Australian businesses over $60 million.

Criminals are constantly developing increasingly sophisticated BEC techniques that often include a combination of social engineering, email phishing, email spoofing and malware.

Types of BEC Attacks

  1. Invoice Scams

Attackers pretending to be suppliers issue fraudulent invoices for payments to an account owned by the fraudster.

  1. CEO Fraud

Attackers pose as the CEO or an executive and send an email to employees in finance, requesting them to send sensitive information or transfer money to an account the fraudster controls.

  1. Account Compromise

Email account compromise (EAC), also known as account hijacking, occurs when a senior-level employee’s account is hacked and used to request invoice payments to vendors listed in their account contacts. Payments are sent to fraudulent accounts.

  1. Lawyer Impersonation

Attackers pretend to be a solicitor or other law firm employee in charge of confidential and sensitive information.

  1. Data Theft

Human Resource or accounting employees are targeted to obtain personally identifiable information (PII) of employees to be used in future attacks.

How a BEC Attack Works

The goal of a scammer is to gain and abuse your trust. Rather than exploiting technical security, BEC attackers manage to compromise an organisation through exploiting this trust.

Imagine receiving an email from your boss asking you to wire money to someone or requesting highly sensitive information. How likely are you to engage and comply with the request?

Attackers can spend weeks or months gathering information about potential targets, including not only contact information, but also details of hobbies, and family members and friends. This makes it much easier to hijack accounts and impersonate employees.

How To Prevent a BEC Attack

The very nature of BEC scams makes it difficult for organisations to detect. This is why employee education and additional security awareness training in the following areas is key to identifying and avoiding BEC scams.

Always Verify The Source

Handle requests for money and sensitive information (especially extraordinary requests) cautiously, and with some skepticism.

Confirm Requests

If you are not 100% sure that the request is legitimate, confirm the request in person or via a phone call.

Think Before You Click

Think before you open a suspicious message or click on a suspicious link.

Be Cautious on Social Media

Social Media is a great source for data mining potential targets. Implement the safest privacy settings and limit the information you share.

Learn to Identify Phishing Emails

Signs of such attacks include poor spelling, bad grammar, clunky phrasing and poor formatting.

Senior Staff Need to Be Extra Vigilant

Executives and Managers are primary BEC targets, so they need to be extra cautious in both their professional and personal lives.

Always Follow Policy

Finance, data and privacy policies are there to protect the organisation and individuals. Always follow policy to minimise risks.

Conduct Regular Training

Every employee will benefit from such training!

Expert Cyber Security Advice and Strategy

For expert advice on protecting your business from cyber attacks, contact Surety IT today.

Contact Us

This field is for validation purposes and should be left unchanged.

Find out how we can help with your IT challenges.

About the author:

Picture of Ash Klemm

Ash Klemm

Ash has over 20 years of experience in sales and marketing. His journey from a casual salesperson at Chandlers to State Manager at a national IT distribution company, while battling health issues, including a double lung transplant in 2015, gave him the experience, know-how, tenacity, and marketing insight, to find solutions and help businesses grow. After spending several years in the ivory tower of state management, Ash missed the genuine connection of face to face meetings and helping make a difference to businesses in need. His authentic, conversational, and easy-going nature helps our customers feel at ease and shows them we are a brand to trust. Ash spends his days advocating for our customers to ensure they receive the best possible service in a timely fashion. Ash is also the in house chair builder. His curiosity and natural problem-solving ability make him the perfect first call for all our new customers to help determine what is wrong, how Surety IT can help and what the best solutions are moving forward.
Scroll to Top