Business email compromise, a fast growing scam

The Melbourne Joint Cyber Security Centre (JCSC) hosted a two-hour seminar yesterday on Business Email Compromises (BECs), which many cyber security experts consider to be the major current cybercrime threat to business.

The seminar provided information to small and medium business representatives, as these sectors are particularly targeted by cybercriminals who are perpetrating BECs.

The JCSC worked with Small Business Victoria, the Victorian Small Business Commissioner and the ACCC’s Consumer and Small Business Strategies Branch, to invite key Victorian business stakeholders to yesterday’s event.

Around 90 representatives attended the session in Melbourne, with the event video-conferenced across the country including to regional Victoria and Hobart.

The session was presented by a panel of five industry and government cyber security experts including Alex Tilley, e-Crime Lead for the Counter Threat Unit at Secureworks.

‘When you realise 41% of Australian businesses have no cyber security governance, it isn’t surprising they’re being targeted so specifically by cybercriminals. Australian businesses need to act fast and take their cyber security as seriously as other commercial risks,’ Mr Tilley said.

The experts provided a comprehensive examination of what BECs are, why they are so harmful, who are perpetrating BECs, how they are evolving, how government helps businesses, and the actions businesses can take to prevent themselves from becoming victim.

What is Business Email Compromise?

Business Email Compromise (BEC) is an online scam where a cybercriminal impersonates another business representative to trick an employee, customer or vendor into transferring money or sensitive information to the scammer.

Because these scams don’t often use malicious links or attachments, they can get past anti-virus programs and spam filters. These emails can include invoices or fines that may include threats to cancel your service or charge an excessive penalty if you don’t pay immediately.

This type of attack, due to the low implementation cost and high returns, is quickly becoming one of the fastest growing online business scams.

In Australia business email compromise has resulted in more than $20 million in associated losses across 2016-17.

Criminals are constantly developing increasingly sophisticated BEC techniques that often include a combination of social engineering, email phishing, email spoofing and malware.

What we’re seeing

The ACSC is responsible for building cyber resilience across the whole of the economy by supporting governments, large corporate and small and medium business, academia, the not-for-profit sector and the Australian community.

Over the past three months the Centre’s global monitoring team has been on hand to assist business owners who have been impacted.

The team has received dozens of BEC incidents, requests or notifications from individuals and affected organisations in the private, academic, government and critical infrastructure sectors.

A large portion of the enquiries came from the construction industry, in part due to the high percentage of transactions between builders and their suppliers.

One instance included the owner of a small cabinet-making business who received and paid an invoice for $40,000 from a local supplier whose email had been compromised. The phishing email used their supplier’s logos and branding to appear legitimate to the business owner, deceiving him into paying the full amount.

In another phone call a small construction supply company reported that one of their large construction clients received an email purporting to be from them, seeking to change their bank account details. The email had an invoice and email signature block that looked legitimate. Because the construction client confirmed the request with their supplier, no funds were lost.  

The ACSC also noticed spikes in BEC attacks around tax time, most likely in an attempt to catch businesses off-guard during a busy point of the financial year. 

How to protect and recover from a Business Email Compromise

The ACSC has developed comprehensive guidance to help organisations protect themselves from business email compromises.

Educating your staff, establishing a consistent business process for validating payment and information requests and protecting your network is vital to ensuring limited exposure to these types of scams.

Remember, if something doesn’t feel right, it probably isn’t. Encourage your staff to trust their instincts and check anything suspicious via a phone call or face-to-face.

For more information

Join us and our partners by taking a few simple steps to lock down your online security. Together we can reverse the threat of cybercrime.

For tools and tips to help you reverse the threat, visit Stay Smart Online’s ‘Reverse the Threat’ page.

Stay Smart Online also offers a free email alert service to explain recent online threats and how you can manage them. And you can follow them on Facebook.

For news and information relating to online threats and mitigation, visit Cyber.gov.au.

To report an incident, call us on 1300 CYBER1 (1300 292 371) or go to our website www.cyber.gov.au