How to protect your business from email-based scams

CEO scams

Also known as ‘CEO phishing’, a CEO scam is when an email appears to come from a senior person in a business such as a Chief Executive Officer (CEO) or Chief Financial Officer (CFO), requesting an urgent transfer of funds.

By making the email appear to come from a senior person, the criminals hope the recipient will action it quickly without verifying the request.

These emails may come from the real executive’s email account if it’s been compromised or from a very similar email address.

In this email example some of the red flags to look out for are the email address, which in this case is a Gmail account instead of the organisation’s email address. The CEO’s name is also misspelled.

Payroll Scams

Another type of email scam is the payroll scam, where the email account of an employee is imitated or compromised, and an email is sent to their employer requesting an update to their bank account details for their salary. Criminals are opportunistic and looking for people to act on messages being sent, so keep an eye out for urgent requests to update payroll details. These scams can also be carried out via a phone call, so having a validation process for each channel is recommended. Best practice is to verbally confirm over the phone (using a known phone number) or face to face.

How do email scams work?

Criminals target email communication as it’s a common way individuals and business exchange information. For criminals, email is a scalable way to target many people at one time but can also be used to target individuals in a spear-phishing attack.

Criminals want their messages to appear genuine, so they’re specifically created to trick the recipient into taking some sort of action.

These messages may be sent from:

• a contact that you know but the request is unusual or requesting a change of account details or payment to a new bank account.
• a simple email address such as ‘iamtheceo1@gmail.com’.
• an email address very similar to the senior businessperson the criminal is impersonating, but with a slight variation which is easy to miss. For example, john@s1ight.com.au instead of john@slight.com.au.
• what appears to be the correct email address, but when you reply, the email is sent to a different reply-to address.

Take these simple steps to protect your business

1. Empower your team

Your employees are the first line of defence against cyber-attacks. Teach them to recognise and know what to do with suspicious emails, text messages, and phone calls. Criminals try to convey authority by impersonating someone senior in your business or create panic by insisting a matter is urgent.

Empower your employees to trust their instincts and question emails, even if it appears to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team. You can always invite your team to join one of our free monthly cyber security webinars for business.

2. Raise awareness

Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future. For handy tips and tools, check out raising employee awareness.

3. Create safe payment processes

It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed, or if a request seems out of the ordinary.

Once confirmed via calling a known or publicly listed number, you can safely action payments or changes to account details.

4. Check your email settings

Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account. Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send. If they are empty, this can be a sign that evidence is being deleted.

5. Keep your software up-to-date

Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it’s always up to date. Keep your Apps on your computers and devices up to date, too.

To find out more about protecting your hardware and software, see the basics of computer security.

You can also take advantage of NAB’s offer for business customers for discounted ‘Cisco Umbrella’ security software.

6. Use strong passwords and multi-factor authentication

Using strong passwords and multi-factor authentication (MFA) will protect the security of your email account. MFA (sometimes also called two-factor authentication) means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they won’t be able to get into your account because they won’t have the MFA code.

Read about six simple ways to protect your passwords and multi-factor authentication for more details.

7. Review your business' online profile

Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.

8. Talk to your Business Banker

If you’re a business customer using NAB Connect, ask your banker how to turn on features which can add extra layers of security to protect your funds. Consider turning on segregation of duties, which means one person can’t create and approve payments over a certain size or dual authorisation. An extra pair of eyes can be useful for spotting mistakes or fraud attempts.

9. Set up your PayID®

PayID gives business owners a powerful tool to help customers and business partners easily and safely transfer funds without the hassle of entering an account number and BSB. PayID is tied to your phone number, email address or ABN.

Using PayID can help reduce the risk of fraud or payments being sent to the wrong account as you can see the name of the person or business when paying. Consider setting up your official business PayID to streamline and secure your transfers. Read more about PayID for business.

10. Take advantage of the free small business cyber assessment tool and other offers

We’ve partnered with Microsoft to deliver a free cyber assessment tool to help your business determine and improve its cyber maturity. The free, tailored, self-assessment takes under two hours to complete and will provide a risk-based report to assist you to identify potential gaps and mitigate your risks. Also review other business offers from our partners that are accessible via the Security tab.