Your stored business data travels in and out of your network. What key controls can you put in place to ensure it’s safe?
Estimated reading time is 8 minutes.
Estimated reading time is 8 minutes.
The threat of email scams for businesses is very real, and it’s growing. According to the Australian Competition and Consumer Commission (ACCC), in 2019 Australians reported $132 million in losses attributed to business email compromise. This is a staggering 120% increase in losses compared to the previous year.
Based on the report from the ACCC, the most financially damaging business email compromise scams involved invoices between businesses, suppliers or individuals being intercepted, and amended with fraudulent banking details.
However, there’s some good news- there are lots of some simple steps you can take to protect your money and your business.
Business email compromise describes when an organisation’s email account is taken over by criminals to conduct fraudulent activities such as sending fake invoices, requesting updates to bank account details, or intercepting and altering inbound payment details.
Criminals often gain access to business email accounts by sending a phishing email which appears to come from a trusted organisation or contact. This email might request the recipient’s email account username and password, or ask them to click on a link which downloads malicious software onto their device. Often the email has been sent from a trusted contact who has had their own email account compromised. The other common way that username and password credentials are gathered is if they are exposed through a data breach.
In invoice scams, a business or individual receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The criminal has been able to alter the payment details on the invoice to an account they control. As the invoice looks legitimate, the recipient may not question the payment details, and send the payment to the account controlled by the criminal.
Often the contact number on the invoice has also been altered.
Another variation of an invoice scam is when a business receives a request from a supplier to cancel a recent payment or update the bank account details held on file, and is asked to make the payment to a new account.
Also known as ‘CEO phishing’, a CEO scam is when an email appears to come from a senior person in a business such as a Chief Executive Officer (CEO) or Chief Financial Officer (CFO), requesting an urgent transfer of funds.
By making the email appear to come from a senior person, the criminals are hoping the recipient will action it quickly without verifying the request.
These emails may come from the real executive’s email account if it’s been compromised, or from a very similar email address.
Another type of email scam is the payroll scam, where the email account of an employee is imitated or compromised, and an email is sent to their employer requesting an update to their bank account details for their salary. Criminals are opportunistic and looking for people to act on messages being sent, so keep an eye out for urgent requests to update payroll details. These scams can also be carried out via a phone call, so having a validation process for each channel is recommended. Best practice is to verbally confirm over the phone (using a known phone number) or face to face.
Criminals target email communication as it’s a common way individuals and business exchange information. For criminals, email is a scalable way to target many people at one time, but can also be used to target individuals in a spear-phishing attack.
Criminals want their messages to appear genuine, so they’re specifically created to trick the recipient into taking some sort of action.
These messages may be sent from:
Your employees are the first line of defence against cyber attacks. Teach them to recognise and know what to do with suspicious emails, text messages and phone calls. Criminals try to convey authority by impersonating someone senior in your business, or create panic by insisting a matter is urgent.
Empower your employees to trust their instincts and question emails, even if it does appear to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team.
Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future. For handy tips and tools, check out raising employee awareness.
It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed, or if a request seems out of the ordinary.
Once confirmed via calling a known or publicly listed number, you can safely action payments or changes to account details.
Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account. Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send. If they are empty, this can be a sign that evidence is being deleted.
Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it is always up to date. Keep your Apps on your computers and devices up to date too.
To find out more about protecting your hardware and software, see the basics of computer security.
You can also take advantage of NAB’s offer for business customers for discounted ‘Cisco Umbrella’ security software.
Using strong passwords and multi-factor authentication (MFA) will protect the security of your email account. Two-factor authentication means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they will not be able to get into your account because they will not have the MFA code.
Check out our 6 simple ways to protect your passwords and multifactor authentication articles for more details.
Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.
If you’re a business customer using NAB Connect, ask your banker how to turn on features which can add extra layers of security to protect your funds. Consider turning on segregation of duties, which means one person can’t create and approve payments over a certain size or, dual authorisation because an extra pair of eyes can be useful for spotting mistakes or fraud attempts. These features and more are available on NAB Connect.
PayID gives business owners a powerful tool to help customers and business partners easily and safely transfer funds without the hassle of entering an account number and BSB. PayID is tied to your phone number, email address or ABN.
Using PayID can help reduce the risk of fraud or payments being sent to the wrong account as you can see the name of the person or business when paying. Consider setting up your official business PayID to streamline and secure your transfers. Read more about PayID for business.
Learn how to keep yourself and your business safe with the NAB Security podcast on Business Email Compromise.
If you’re a NAB customer and you believe your business has been impacted by fraud or a scam, contact us on 13 10 12 (for Internet Banking users) or the NAB Connect Client Centre on 1300 888 413.
Visit Australian Cyber Security Centre.
Visit Scamwatch.
Visit our Security Hub.
Your stored business data travels in and out of your network. What key controls can you put in place to ensure it’s safe?
Empower your employees to help manage your online security risks
Protecting valuable business data from cyber crime is everyone’s business.
Learn how to protect your website against online attacks.
You’ll now be redirected from NAB to an external site.
NAB doesn’t accept responsibility for the operation of the website you’re being redirected to.