Business Email Compromise (BEC) is one of the biggest cyber threats faced by Australian businesses. BEC describes fraudulent emails that appear to come from trusted sources, like company executives or suppliers, asking for funds to be transferred, or to change the account details of a regular payment.
Early in 2017, the FBI’s Internet Crime Complaint Center stated that “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 per cent increase in identified exposed losses, now totalling over $3 billion.”
NAB Chief Information Security Officer Andrew Dell explains, “These scams are prevalent in Australia, however, there are some simple steps a SME can take to prevent being caught out”.
Types of Business Email Compromise
These emails often appear to be from a senior executive, such as a company’s Chief Executive Officer or Chief Financial Officer, and request an urgent funds transfer be made. This false request, also known as ‘CEO Phishing’, is often sent from an email address very similar to the executive’s, but with a small variation to the address which is easy to miss. “These requests are normally sent to a small number of targeted recipients, meaning they are often missed by corporate email spam filters, which look for large volumes of identical messages”, says Dell. These emails can sometimes be sent from the victim’s real email address, if the criminal has obtained the credentials via malicious software or a phishing email.
In another scenario, a business may receive an email invoice from a supplier asking for payment. If the supplier’s email account has been compromised by a criminal, the email may be intercepted and the payment details on the invoice changed. Not realising the account has been compromised, the business sends the payment to the criminal rather than their legitimate supplier. Another variation is a request to cancel a recent payment, and make the payment to a new account.
How does it happen?
“Cyber criminals use company websites and LinkedIn to source organisational information, including employee names and titles, company structures, and job descriptions,” explains Dell. “They then use this information to craft convincing emails requesting payments”.
Setting up an auto-forward rule on your mailbox is another common tactic to make requests seem more legitimate, explains Dell. “If a criminal has your email credentials, they may set up a rule in your mailbox so all your emails are forwarded to their mailbox without your knowledge. This allows criminals to keep tabs on your business activity and spend time learning how you communicate, in terms of tone and types of requests.”
By studying your behaviour, criminals are able to mimic your requests, meaning their fake request won’t seem out of the ordinary. Dell says, “You can prevent this from happening by regularly changing your email passwords, periodically checking that no auto-forward rules are enabled in your mailbox, and using two-factor authentication for email and payments where possible”.
Raise awareness and trust your gut
Raising awareness of these types of scams with your employees is crucial. Many people might think it won’t happen to them, or that they would notice if something were amiss. Dell says, "Criminals rely on a tactic known as 'social engineering,'- they will often convey authority by impersonating someone senior in your business, or create panic by insisting a matter is urgent". But no one knows your colleagues, clients and suppliers better than you - so trust your gut. Dell says, "If an email doesn't sound right, for example, if someone is requesting something out of the blue, pressing you for urgent action, or their tone seems out of the ordinary - question it."
It’s important that your business has processes in place to verify payment requests or changes to payment details. This can be as simple as checking the requester’s email address carefully, and calling them to confirm the request before you action any payments or account detail changes (using contact details you have on file).
It’s especially important to do this if account details change, or if the payment appears out of the ordinary. You can also consider having a secondary authoriser for payments on NAB Connect.
Dell continues, “If your business does receive a CEO phishing email or fake invoice, share it around with your colleagues to raise awareness of the issue. It allows employees to see real examples and know what to look out for in the future”.
The CEO of a large Australian company had his corporate email account compromised by criminals, who carefully researched the nature of requests normally made by the CEO. They sent a request to the company’s accounts department to transfer a large sum overseas. Shortly after actioning the transfer, the employee realised the request had been strangely written and called the CEO who confirmed he had not requested the transfer. The employee quickly called their banker who prevented the transfer from being processed.
Things to look out for:
- Requests for payment from a regular supplier to a new account
- Requests to transfer funds which bypass normal channels
- Urgent requests, or instructions to keep the transfer confidential/secret
- Emails from a slightly different email address, or emails with a different ‘reply to’ address
- Phrases like “kindly”, “code to admin expenses”, or “urgent wire transfer”
- If the email states the requester is having “phone issues”, and may not be contactable.
Example of a BEC scam email
From: Company CEO <email@example.com>
Sent: Wednesday, 5 October 2016 1:02 PM
To: Company CFO <firstname.lastname@example.org>
Subject: Request for 5th October 2016
Are you at your desk? I need you to process an international wire transfer for me.
Kindly code it to “admin expenses” by COB today.
Sent from my iPhone
Steps to protect your business
- Check any auto-forward rules on your email account –cyber criminals may intercept emails by forwarding them to a separate mailbox.
- Keep anti-virus software up to date on your computer
- Use strong passwords and two-factor authentication where possible (an extra layer of security using an additional authentication method e.g. a code sent by SMS)
- Confirm the transfer request with the requester over the phone, especially if the payment details change or if the request is out of the ordinary
- Be aware of how much information is posted on company websites and LinkedIn
- Speak to your banker about adding extra layers of security when using NAB Connect
For further information
If you believe your business has been impacted by a BEC scam, please contact NAB on 13 10 12 (for Internet Banking users) or the NAB Connect Client Centre on 1300 888 413.
Managing the threat of a cyber attack is a vital part of running any business in this new digital age. If you are looking for more information about how to protect your business from such threats, visit these sites:
- For easy to understand computer security advice for home use and SME business, visit staysmartonline.gov.au
- To see the latest scams, or to report a scam, visit scamwatch.gov.au
- For more information on protecting your business online, visit nab.com.au/security
- The Australian Cybercrime Online Reporting Network (ACORN) is a secure reporting and referral service for cybercrime and online incidents that may be in breach of Australian law. Certain reports will be directed to Australian law enforcement and government agencies for further investigation. report.acorn.gov.au