What is Business Email Compromise And How Can Melbourne Business Owners Avoid it?
Cyber crime is increasing in cost, sophistication and scope, no one can argue with this.
As technology continues to advance, so do the methods of cybercriminals. In today's digital age, businesses rely heavily on email communications for seamless operations.
As such, with increasing connectivity comes the growing risk of cyber threats. One that is causing chaos in businesses is Business Email Compromise (BEC). Business Email Compromise is one of the most sophisticated forms of cybercrime that has become the bane of many businesses.
As per Australian Competiiton and Consumer Commission (ACCC), Australian Business Owners lost a total of $98 million to business email compromise (BEC) scams in 2022. This is an increase of 21% from the previous year. The average amount lost per victim is $64,000.00.
Business Email Compromise attacks have now become one of the main causes of businesses to lose a lot of funds or sensitive information.
To safeguard your Businesses in Australia from the potential financial and reputational damage caused by BEC attacks, it is crucial to understand this and implement proactive measures for prevention.
What Are Business Email Compromise Scams?
Business email compromise scams refer to a form of cybercrime that involves the use of social engineering, which is deceiving a target by impersonating a person know to the target. Simply put, business email compromise scams involve cybercriminals pretending to be a trusted entity, often someone of high rank in a company, to trick targets into carrying out specific tasks.
BEC scams usually follow the same process: a fraudster attempts to dupe a business by posing as an important executive in the company structure, usually someone in charge of releasing and approving payments.
Currently, there are five broad forms of BEC scams:
- bogus invoice method
- CEO fraud
- Account Compromise
- Legal Impersonation
- Data Theft
However all of them will start from someone gaining access to a business's legitimate employee emil account.
Take the account impersonation method for instance. A cyber attacker initiating a BEC scam successfully gets access to a company email account and then proceeds to send an email of urgent importance to the accounting department head (or CFO, depending on company structure) during late business hours.
The idea is to target employees when they are tired, drained, and not alert. The email could be from the CEO's email account, albeit compromised, or an email that is incorrect upon closer inspection.
The false email method is called spoofing and is very effective as humans usually fail to consistently veriy email authenticity. An example is janetsingh@receive.com instead of janetsingh@recieve.com.
The email requests an immediate transfer of funds to a business partner or service provider to balance payment for services rendered. Since this is coming from a supposedly official account and will help the accounting department balance their accounts before the weekend, they do so without giving the details a critical look or confirming via other communication channels. The bank account supplied will surely belong to the hacker(s), and, once the account is credited, the money is irrecoverable.
A more recent form of the account impersonation form of BEC scams is when fraudsters take advantage of the vulnerabilities in online meeting platforms. In this form of BEC scam, fraudsters gain access to a top executive’s login details, create a meeting, and invite the targeted employee. During the meeting, the executive claims to have video and audio connection issues before issuing instructions on funds transfer.
This form was more common during the pandemic when most employees were working from home.
How Your Melbourne Business Owners Can Avoid BEC Scams
Business email compromise scams are usually difficult to tackle, as they are largely targeted at human psychology and weaknesses rather than computers and their vulnerabilities. In other words, increasing your system security does not directly improve your business’ chances against BEC scams.
Here are some measures to incorporate to reduce the chances of BEC scams affecting your Melbourne business:
- Understand BEC scams and the processes
The first element of a strong defense is being aware of the threats and their processes. As a result, all internal and external IT professionals working for your business should be able to recognise common BEC strategies and scenarios such as emails that appear highly important from C-level executives. Also, staff and executives should crosscheck and verify domain names of the sender's email, and also be wary of unfamiliar links embedded in the emails.
- Employee Education
Apart from the senior management, admin and sales staff should also be taught and educated on the issue of BEC scams.
There should be a huge emphasis on Cyber Security Awareness Training Programmes, at XpressteX we can offer this through our Security Focused business model MTR IT P/L
The staff should also be educated on knowing if an email is actually from their boss or if it is a scam.
- Increase Business Email Security
While BEC scams are focused on social engineering, they are also dependent on getting access to email accounts. Instruct your employees to improve the strength of their email login details. Employing features like multi-factor authentication and VPNs is a good option to opt for, and you can also check for an email sender’s IP address to confirm if they are where they should be.
- Create a custom contingency plan for your business
As standard cybersecurity policies go, there is always a chance that your business will be breached. Hence, a strategy or plan should be created to combat the effects of a successful BEC scam on your business. This plan must be as detailed as possible, and every employee should be made aware of this plan. It should be a topic in IT training sessions and seminars for the business.
- Review and strengthen payment processes
The aim of a BEC scam is to make an employee forward funds intentionally or not to a bank the hacker has access to. This is made possible because one employee is usually in charge of the payment process. You can reduce this risk by creating and adding redundancies to the payment process.
You could add a confirmation by one or two other staff to the process, and add a second communication medium likened to a form of MFA to the process such as confirming the person’s identity and request offline.
- Increase your IT department’s knowledge
Your IT department is one of the first lines of defence against hackers and they should be as professional and knowledgeable as possible. Aside from in-house staff, hire external IT professionals for support and to ease the workload on your in-house staff, and you should fund cybersecurity training for interested employees.
If You Do Not Have A Cyber Security Policy In Place For Your Business In Melbourne, Let Us Create One For You.
XpressteX can provide your Melbourne business with the highest level of security against BEC scams. We will help you save money while improving your email network security.
Contact us for to book in a time for an In Depth Strategy Session with Manny A.K.A Head IT Innovator on 1300 991 030