Business email compromise

The Australian Cyber Security Centre provides you with up-to-date advice on current threats and vulnerabilities, as well as guidance on mitigation and cyber security best practice.

What is business email compromise?

Business email compromise (BEC) is an online scam where a cybercriminal impersonates a business representative to trick you, an employee, customer or vendor into transferring money or sensitive information to the scammer.

To begin, a cybercriminal impersonates a trusted person using an email address that appears to be legitimate (this is known as “masquerading”). To do this, they may use a username that is almost identical to the trusted person’s name, or a domain that is almost identical to the name of the trusted person’s company. Alternatively, they could replace the “from” or “reply-to” text with the trusted person’s exact email address (this is called email “spoofing”), or they could even gain remote access to the trusted person’s actual email account.

The cybercriminal then sends a legitimate-looking message to the target requesting money or sensitive information.

BEC usually takes one of four basic forms:

  1. Executive fraud: The cybercriminal successfully masquerades an executive’s email address and then sends a message to staff in your business directing them to transfer funds to the scammer’s account.

  2. Legal impersonation: The cybercriminal masquerades as a lawyer or legal firm representative requesting payment for an urgent and sensitive matter.

  3. Invoice fraud: The cybercriminal masquerades as a trusted supplier and sends a fake invoice to your business. In these scams, the cybercriminal often has control of the supplier’s email account and can access legitimate invoices. The cybercriminal changes these invoices to include new bank account details and then sends the invoices to customers from the supplier’s email account.

  4. Data theft: Instead of requesting funds, a cybercriminal may masquerade as a trusted person to request sensitive information. This information can then also be used as part of a larger and more damaging scam.

Because these scams don’t use malicious links or attachments, they can get past anti-virus programs and spam filters.

How do I recover from business email compromise?

If you’ve sent money or personal banking details to a scammer contact your bank immediately.

If you receive a BEC attempt, notify the masqueraded sender so they can prevent further BEC attempts. Do not forward the malicious email. Instead, take a screen shot (print screen) or screen snip and send it to your IT team or manager so they can alert the affected parties and secure the email account.

If any of your email accounts have been compromised, notify your clients (or, at a minimum, your affected clients). You may also consider putting up a notice on your website to warn clients of the scam if the BEC is extensive.

If personally identifiable information has been stolen, mandatory reporting to the Office of the Information Commissioner (OAIC) may be required under the reportable data breaches scheme. Information on the reportable data breaches scheme can be found here.

Scams can be reported to the Australian Competition and Consumer Commission’s Scamwatch.

If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).

How do I prevent business email compromise?

Educate your staff

Because BEC relies almost entirely on social engineering (using an understanding of human psychology to get us to do something), your staff are your first line of defence.

Teach your staff to be on the lookout for the following warning signs:

  • The email was unexpected. For example, the invoice came from a supplier you haven’t dealt with in a while, or the payment amount differs from previous amounts.

  • The email asks for an urgent payment or threatens serious consequences if payment isn’t made.

  • The email was sent from someone in a position of authority, particularly someone who wouldn’t normally send payment requests.

  • The email address doesn’t look quite right. For example, the domain name doesn’t exactly match the supplier’s company name. Double-check by looking at previous correspondence.

  • The supplier has provided new bank account details.

If your staff spot any of these warning signs, they should contact the company using a phone number they’ve obtained from an alternative source, such as the company’s website.

Have a business process

You can support your staff in spotting BEC scams by establishing a consistent process for validating all payment requests and requests for sensitive information.

Safeguard your internal information

  • Avoid sharing internal company knowledge that could be exploited by scammers such as as the individual contact details of employees most likely to be targeted particularly those working in accounts or finance.

Make sure your business isn’t used for BEC

Protect your networks

  • BEC scammers may try to gain access to a legitimate email account by compromising your internal networks. Develop and maintain good security controls to prevent your network being exploited. Implement at least the four mitigation strategies with “essential” effectiveness to prevent malware delivery and execution as described in the ACSC’s Strategies to Mitigate Cyber Security Incidents, particularly on computers used by your finance, human resources and senior executive teams.

  • Additional guidance on how to develop sound cyber security practices for your business can be found here.

  • Additional information on the ACSC’s Strategies to Mitigate Cyber Security Incidents can be found here.

Block spoofed emails

  • If you manage your own email server and domain, make sure you implement Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC). These are email sender validation controls that will prevent others from spoofing your domain and will help you technically identify when you have received a spoofed email.

  • Configure your email server to reject emails do not originate from the email servers approved by the sender’s organisation.

  • Consider registering domains that look similar to your organisation’s domain (for example, replace letters such as “l” and “o” in your company name with digits such as “1” and “0”).This will help prevent malicious actors from using look-alike domains to spoof emails from your business.

Use two-factor authentication

  • Scammers will often try to compromise an email account by tricking a user into supplying email login credentials to a fake website. These credentials will then be used to log in to the account and send out BEC content to your contacts. Use strong multi-factor authentication to prevent scammers from using your email login details.

  • Refer to the ACSC’s Multi-factor Authentication guidance for further information.,.