Protecting Against Business Email Compromise

Talk to an Expert

Business Email Compromise (BEC)

How to protect against, detect or recover from it.

Australian companies lose an average of $50,673 per attack

BEC is a fraud technique in which offenders redirect legitimate fund transfers over to alternative accounts. Commonly, offenders intercept legitimate invoices or emails from transaction partners that are known and change the banking details to include fraudulent payment information.

Victims of BEC will unknowingly transfer funds to the offender, which would in turn go unnoticed until the intended recipient of the fund becomes aware and enquires about the payment yet to be received, or the victim becomes aware that the funds have been deposited incorrectly.

The toll on SMB

How BEC is affecting businesses in Australia

Dangerously Deceptive

BEC attacks are particularly difficult to prevent. This is due to the fact that perpetrators rely on social engineering techniques and impersonation to drive people into acting on the attackers behalf, as opposed to employing malware. Threat detection solutions used traditionally to combat BEC attacks that analyse metadata, links and email headers often miss these attack strategies.

BEC attacks do not require advanced tools or tradecraft to execute. As such, they are present in any forms, with the level of sophistication driven by the attacker’s ability and motivation. Attackers will research their target and setup a spoof domain (or compromise a legitimate email) to send a falsified financial email to their target. This can be difficult to detect, with attackers constantly developing more advanced fraud techniques.

Scammed out of Millions

According to the Australian Federal Police (AFP), BEC has resulted in a loss of $79 million to cybercriminals in the past 12 months. Further, BEC scams have occured over 3,300 times in the past twelve months. Despite efforts, police have only managed to retrieve $8.45 million, a fraction of the total loss.

In one case, the AFP assisted an Australian business, which was compromised when offenders who claimed to be staff sent internal invoice emails to the company’s finance area, but with altered bank details. The business processed two payments within a few days – transferring $519,545 and then $2,148,938 to a Singaporean bank account.

The threat is on the rise in Australia

In the tight-lipped world of cybersecurity, it is an open secret that for many years, Australian organisations who fell victim to hackers have been quietly paying millions in ransoms for their data that was stolen or encrypted.

This money has gone to criminal organisations, thus encouraging further attacks and creating an ongoing cycle.

Experts say that Australia along with the rest of the world are facing a “tsunami of cyber crime.”

In the past year, a 55 per cent increase in BEC attacks have been reported, according to the ACSC, government’s cyber security agency.

Increase in BEC attack reports in the past year

mil

Lost to BEC scams in 2020

of cybercrimes in Aus are BEC incidents

Rise in reported losses for 2021 (vs 2020)

WARNING SIGNS

What to look for

There are four standard methods attackers use to impersonate trusted contacts:

Common types of BEC attacks include:

CEO’s and other senior staff members are common targets for impersonation. The attacker will masquerade as the authority figure and request payments or access to sensitive data.

Large financial sums are trasferred routinely in business-to-business relationships. If an attacker can impersonate a supplier successfully, they will attempt to ‘update’ the banking details so that the target sends the next legitimate payment to the attacker’s bank account.

This is a common attack vector, as threat actors can carry it out from almost any corporate email account. Employee Impersonation sees the attacker attempt to replace a legitimate employee’s bank account details with their own – usually under the guise of ‘updating’ their details. The victim company then sends salary payments to the attacker’s bank account.

When impersonating a customer in a B2B relationship, an attacker will utilise counterfeit purchase orders and try to have goods delivered to the attacker for resale.

While impersonating an authority figure, the attacker will request the victim purchase gift cards and email the serial numbers to the attacker, often promising remuneration through expenses. The attacker then sells the gift card serial numbers on the black market.

ACTION PLAN

Our advice and recommendations

BECs can be combatted with relative ease. If you are vigilant against phishing, use strong passwords and 2-factor authentication, implement protective business processes and and train your staff on what to look out for then you can mitigate the likelihood of falling victim to BEC attacks.

If you have been a victim of business email compromise, carry out the following steps:

contact your bank as soon as possible if you’ve send money or bank details to a scammer
report the incident to the ACSC
if any of your email accounts were compromised, change your password for your email account(s), notify anyone affected, and protect your stakeholders with a warning notice on your website informing them of the scam.

The latest on BEC & phishing attacks

Gridware is proud to be a thought-leader in cybersecurity, creating and leading conversations in this space. Check out a selection of our published work from our Sydney based Cyber Defence Centre (CDC), and learn how our cyber expertise has led to partnerships with leading Australian Universities.

How Gridware can help

Training & Awareness

Your users are the last line of defence. Inform them about the latest email threats, and ensure that they understand their fraudulent nature and know how to report them to your security departments. Gridware security awareness training and phishing simulation provides all necessary tools to train your users to recognise and report phishing emails, which will prevent email fraud and data loss.

Security Assessments

As a provider of CREST-approved vulnerability assessment, social engineering and red teaming services, Gridware’s ethical hacking team has extensive experience of assessing organisations’ technology, personnel and processes against the latest attack techniques and helping organisations to address them.

Business Process Consultancy

Business can avoid falling victim to BEC scams with the right business processes in place. Gridware will assess your processes for any weakpoints and advise on how to mitigate the threats. We can also provide an action plan for dealing with potential threats.

Proactive Monitoring

Firewalls and antivirus software are not able to comprehensively defend against the latest types of memory-resident and polymorphic malware.

Our certified security professionals employ cutting-edge threat intelligence to hunt for malware and other cyber threats and help quickly shut them down.

Get in touch today