Email is an essential communication tool for businesses. However, with the rise of cybercrime, organisations face a growing threat called Business Email Compromise (BEC). BEC scams target businesses of all sizes to deceive employees into transferring funds, revealing sensitive information, or initiating fraudulent activities. In this blog post, we will explore Business Email Compromise, its common techniques, and vital steps to protect your organisation from falling victim to these costly scams.
Business Email Compromise refers to a type of cyberattack in which fraudsters gain unauthorised access to a company's email accounts, usually by exploiting human vulnerabilities rather than relying on technical weaknesses. These scams are sophisticated and frequently involve impersonating executives, suppliers, or clients to deceive employees and manipulate them into taking unauthorised actions.
According to the Australian Cyber Security Centre (ACSC), 2021-22 saw self-reported losses from BEC substantially increase, totalling over $98 million. On a national scale, the average financial loss per successful BEC incident surged to exceed $64,000.
Scamwatch data revealed that businesses of all sizes were targets. Small and micro businesses incurred a staggering $13.7 million in losses due to scams. This was a surge of 95% from 2021, with BEC emerging as the primary contributing factor.
Phishing Emails
Fraudsters send convincing emails that mimic legitimate business correspondence, urging recipients to disclose sensitive information, initiate wire transfers, or click on malicious links.
CEO Fraud
Attackers impersonate high-level executives, using their authority to request urgent transfers of funds or confidential information from employees.
Invoice and Payment Fraud
Scammers pose as legitimate suppliers or vendors, tricking employees into changing payment details or transferring funds to fraudulent accounts.
Account Compromise
By gaining unauthorised access to an employee's email account, attackers monitor conversations, collect intelligence, and initiate fraudulent activities under the employee's identity.
While educating employees is the most effective way of defending your business from the threat of BEC, there are a number of other methods that can be used to further reduce the risk of a successful attack.
Employee Education
Conduct regular cybersecurity awareness training sessions to educate employees about the risks and warning signs of BEC scams. Teach them to verify email addresses, scrutinise email requests for urgent or unusual requests, and encourage reporting of suspicious emails.
Multi-Factor Authentication (MFA)
Enable MFA for all email accounts to add an extra layer of security. This ensures that even if passwords are compromised, unauthorised access is prevented.
Email Security
Implement email filtering solutions that can detect and block malicious emails, phishing attempts, and suspicious attachments or links.
Vendor/Supplier Verification
Establish strict verification procedures for changes to vendor or supplier payment details. Independently confirm any requests for financial changes through a known and verified contact.
Strong Password Policies
Enforce strong password policies across the organisation. Encourage employees to use unique, complex passwords and regularly update them.
Encrypted Communications
Utilise secure communication channels, such as encrypted email services or Virtual Private Networks (VPNs), to protect sensitive information.
Payment Approval Processes
Implement multi-level approval processes for financial transactions, especially for wire transfers and large payments. This ensures that no single individual has the sole authority to initiate such transactions.
Incident Response Plan
Develop and regularly update an incident response plan that outlines the steps to be taken in case of a suspected or confirmed BEC incident. This plan should include a designated team, communication protocols, and contact information for law enforcement.
Business Email Compromise scams continue to evolve and pose significant financial risks to organisations around the globe. By understanding the tactics employed by scammers and implementing proactive security measures, businesses can mitigate the threat of BEC. Educating employees, enhancing email security, and establishing robust processes can help safeguard your organisation from falling victim to these costly scams. Remember, vigilance and a proactive approach are crucial in defending against Business Email Compromise.
At Step Fwd IT, our cybersecurity experts will collaborate with you to ensure they tailor a comprehensive solution to meet the unique requirements of your organisation. This is what we call our 'You. Us. Together.' approach, which truly sets us apart.