Potential cost of scams to your business
The threat of email scams for businesses is very real, and it’s growing. According to the Australian Competition and Consumer Commission (ACCC), in 2019 Australians reported $132 million in losses attributed to business email compromise. This is a staggering 120% increase in losses compared to the previous year.
Based on the report from the ACCC, opens in new window, the most financially damaging business email compromise scams involved invoices between businesses, suppliers or individuals being intercepted, and amended with fraudulent banking details.
However, there’s some good news- there are lots of simple steps you can take to protect your money and your business.
Types of email-based scams
Business Email Compromise (BEC)
Business email compromise describes when an organisation’s email account is taken over by criminals to conduct fraudulent activities such as sending fake invoices, requesting updates to bank account details, or intercepting and altering inbound payment details.
Criminals often gain access to business email accounts by sending a phishing email which appears to come from a trusted organisation or contact. This email might request the recipient’s email account username and password or ask them to click on a link which downloads malicious software onto their device. Often the email has been sent from a trusted contact who has had their own email account compromised. The other common way that username and password credentials are gathered is if they are exposed through a data breach.
In invoice scams, a business or individual receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The criminal has been able to alter the payment details on the invoice to an account they control. As the invoice looks legitimate, the recipient may not question the payment details, and send the payment to the account controlled by the criminal.
Often the contact number on the invoice has also been altered.
Another variation of an invoice scam is when a business receives a request from a supplier to cancel a recent payment or update the bank account details held on file and is asked to make the payment to a new account.
Case study – Ben’s invoice scam
Watch the video of Ben’s story to learn how easy it is to be scammed by criminals targeting businesses and the effect this has on real businesses. View Know the red flags of invoice scams video transcript (TXT, 2KB), opens in new window
Also known as ‘CEO phishing’, a CEO scam is when an email appears to come from a senior person in a business such as a Chief Executive Officer (CEO) or Chief Financial Officer (CFO), requesting an urgent transfer of funds.
By making the email appear to come from a senior person, the criminals are hoping the recipient will action it quickly without verifying the request.
These emails may come from the real executive’s email account if it’s been compromised, or from a very similar email address.
In this email example some of the red flags to look out for are the email address which in this case is a Gmail account instead of the organisation’s email address. The CEO’s name is also misspelled.
Another type of email scam is the payroll scam, where the email account of an employee is imitated or compromised, and an email is sent to their employer requesting an update to their bank account details for their salary. Criminals are opportunistic and looking for people to act on messages being sent, so keep an eye out for urgent requests to update payroll details. These scams can also be carried out via a phone call, so having a validation process for each channel is recommended. Best practice is to verbally confirm over the phone (using a known phone number) or face to face.
How do email scams work?
Criminals target email communication as it’s a common way individuals and business exchange information. For criminals, email is a scalable way to target many people at one time but can also be used to target individuals in a spear-phishing attack.
Criminals want their messages to appear genuine, so they’re specifically created to trick the recipient into taking some sort of action.
These messages may be sent from:
a contact that you know but the request is unusual or requesting a change of account details or payment to a new bank account.
a simple email address such as ‘firstname.lastname@example.org’.
an email address very similar to the senior business person the criminal is impersonating, but with a slight variation which is easy to miss. For example email@example.com instead of firstname.lastname@example.org.
what appears to be the correct email address, but when you reply, the email is sent to a different reply-to address.
Take these simple nine steps to protect your business
1. Empower your team
Your employees are the first line of defence against cyber attacks. Teach them to recognise and know what to do with suspicious emails, text messages and phone calls. Criminals try to convey authority by impersonating someone senior in your business or create panic by insisting a matter is urgent.
Empower your employees to trust their instincts and question emails, even if it does appear to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team.
2. Raise awareness
Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future. For handy tips and tools, check out raising employee awareness.
3. Create safe payment processes
It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed, or if a request seems out of the ordinary.
Once confirmed via calling a known or publicly listed number, you can safely action payments or changes to account details.
4. Check your email settings
Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account. Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send. If they are empty, this can be a sign that evidence is being deleted.
5. Keep your software up-to-date
Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it is always up to date. Keep your Apps on your computers and devices up to date too.
To find out more about protecting your hardware and software, see the basics of computer security.
You can also take advantage of NAB’s offer for business customers for discounted ‘Cisco Umbrella’ security software.
6. Use strong passwords and multi-factor authentication
Using strong passwords and multi-factor authentication (MFA) will protect the security of your email account. Two-factor authentication means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they will not be able to get into your account because they will not have the MFA code.
7. Review your business' online profile
Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.
8. Talk to your Business Banker
If you’re a business customer using NAB Connect, ask your banker how to turn on features which can add extra layers of security to protect your funds. Consider turning on segregation of duties, which means one person can’t create and approve payments over a certain size or, dual authorisation because an extra pair of eyes can be useful for spotting mistakes or fraud attempts. These features and more are available on NAB Connect.
9. Set up your PayID
PayID gives business owners a powerful tool to help customers and business partners easily and safely transfer funds without the hassle of entering an account number and BSB. PayID is tied to your phone number, email address or ABN.
Using PayID can help reduce the risk of fraud or payments being sent to the wrong account as you can see the name of the person or business when paying. Consider setting up your official business PayID to streamline and secure your transfers. Read more about PayID for business.
Learn how to keep yourself and your business safe with the NAB Security podcast on Business Email Compromise.
If you’ve been scammed
Security advice, report a cyber crime or online incident
Latest scams or report a scam
To protect your business online
Visit our Security Hub.
Apologies but the Important Information section you are trying to view is not displaying properly at the moment. Please refresh the page or try again later.