cyber.gov.au | 15 February 2019
Imagine a customer receives an email from one of your business’s email accounts requesting payment of an invoice. Your customer opens the invoice and pays using the bank details provided in the invoice.
Just one problem – the account’s financial details are fake!
Your business just became one of the thousands of Australian businesses caught up in a business email compromise.
Business email compromise, or BEC, is a scam where a cybercriminal impersonates a legitimate business or representative to trick an employee, customer or vendor into transferring money or sensitive information.
Here are 4 types of BEC scams:
Because these scams are usually well-researched and rely more on social manipulation than technical exploits (such as malicious links or attachments), they can get through anti-virus programs and spam filters.
For months Melbourne retailer Phoebe Bell believed she was emailing one of her suppliers. In reality, she was communicating with a cybercriminal who would eventually steal $10,000 from her homewares business, Sage & Clare.
Bell says she never had any reason to doubt she was communicating with the real supplier. ‘The language, tone of voice, fonts, graphics – it was all the same,’ she points out. ‘This was a highly polished scam created purely to target small businesses and fleece them of their hard-earned money.’
After Bell paid the supplier, a series of strange emails saying there had been a problem with the payment prompted her to call the supplier directly. The supplier said they hadn’t heard from her in months, at which point Bell realised she’d been the victim of a scam.
When reflecting on what BEC has cost her, Bell notes that ‘it’s a big loss for a small business … it hits hard.’
Bell believes cybercriminals see small businesses as easy targets because they don’t usually have many account processes in place.
Now that you know what to look out for, the best defence for your business is teaching your staff to be on the lookout for the following warning signs:
Remember: if something doesn’t feel right, it probably isn’t.
Encourage your staff to trust their instincts and check anything suspicious by picking up the phone and speaking directly to the requester, whether that be a supplier or your business’s CEO, before paying accounts. Use a phone number obtained from an independent source, such as the company’s website. If the email originates from an internal account, staff should ring the email account owner and alert your business’s ICT team.
If you don’t have one already, consider introducing a purchase order system to your business. The Business Victoria financial policy and procedures template can help.
If you have sent money or banking details to a scammer contact your bank immediately.
If any of your customers’ personally identifiable information has been compromised, mandatory reporting to the Office of the Information Commissioner (OAIC) may be required under the reportable data breaches scheme.
If you have been a victim of a cybercrime such as fraud, report it to the Australian Cybercrime Online Reporting Network (ACORN).
Scams should also be reported to the Australian Competition and Consumer Commission’s Scamwatch.
For further information on how to avoid BEC take a look at the Australian Cyber Security Centre’s BEC advice.
For information on the latest online threats and tips on how to manage them, sign up to Stay Smart Online’s free alert service.
To report a cyber security incident, call 1300 CYBER1 (1300 292 371) or go to www.cyber.gov.au