HOW TO PROTECT YOUR BUSINESS FROM EMAIL-BASED SCAMS

Estimated reading time is 8 minutes.

Invoice scams

In invoice scams, a business or individual receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The criminal has been able to alter the payment details on the invoice to an account they control. As the invoice looks legitimate, the recipient may not question the payment details, and send the payment to the account controlled by the criminal.

Often the contact number on the invoice has also been altered.

Another variation of an invoice scam is when a business receives a request from a supplier to cancel a recent payment or update the bank account details held on file, and is asked to make the payment to a new account.

Payroll Scams

Another type of email scam is the payroll scam, where the email account of an employee is imitated or compromised, and an email is sent to their employer requesting an update to their bank account details for their salary. Criminals are opportunistic and looking for people to act on messages being sent, so keep an eye out for urgent requests to update payroll details. These scams can also be carried out via a phone call, so having a validation process for each channel is recommended. Best practice is to verbally confirm over the phone (using a known phone number) or face to face.

HOW DO EMAIL SCAMS WORK?

Criminals target email communication as it’s a common way individuals and business exchange information. For criminals, email is a scalable way to target many people at one time, but can also be used to target individuals in a spear-phishing attack.

Criminals want their messages to appear genuine, so they’re specifically created to trick the recipient into taking some sort of action.

These messages may be sent from:

• A contact that you know but the request is unusual or requesting a change of account details or payment to a new bank account.
• a simple email address such as ‘iamtheceo1@gmail.com’
• an email address very similar to the senior business person the criminal is impersonating, but with a slight variation which is easy to miss. For example john@s1ight.com.au instead of john@slight.com.au.
• what appears to be the correct email address, but when you reply, the email is sent to a different reply-to address

TAKE THESE 8 SIMPLE STEPS TO PROTECT YOUR BUSINESS

1. Empower your team

Your employees are the first line of defence against cyber attacks. Teach them to recognise and know what to do with suspicious emails, text messages and phone calls. Criminals try to convey authority by impersonating someone senior in your business, or create panic by insisting a matter is urgent.

Empower your employees to trust their instincts and question emails, even if it does appear to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team.

2. Raise awareness

Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future. For handy tips and tools, check out raising employee awareness.

3. Create safe payment processes

It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed, or if a request seems out of the ordinary.

Once confirmed via calling a known or publicly listed number, you can safely action payments or changes to account details.

4. Check your email settings

Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send. If they are empty, this can be a sign that evidence is being deleted.

5. Keep your software up-to-date

Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it is always up to date. Keep your Apps on your computers and devices up to date too.

To find out more about protecting your hardware and software, see the basics of computer security.

You can also take advantage of NAB’s offer for business customers for discounted ‘Cisco Umbrella’ security software. More info at nab.com.au/umbrella

6. Use strong passwords and multi-factor authentication

Using strong passwords and multi-factor authentication (MFA) will protect the security of your email account. Two-factor authentication means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they will not be able to get into your account because they will not have the MFA code.

Check out our 6 simple ways to protect your passwords and multifactor authentication articles for more details.

7. Review your business' online profile

Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.

8. Talk to your Business Banker

If you’re a business customer using NAB Connect, ask your banker how to turn on features which can add extra layers of security to protect your funds. Consider turning on segregation of duties, which means one person can’t create and approve payments over a certain size or, dual authorisation because an extra pair of eyes can be useful for spotting mistakes or fraud attempts. These features and more are available on NAB Connect.