There are plenty of cyber threats out there. And one of the most insidious is the Business Email Compromise (BEC) scam.
This is a form of cyber attack where a scammer impersonates a high-ranking executive – usually through email – to trick an employee, client, or supplier into transferring money or sensitive information.
It’s become a pretty sophisticated form of fraud, far removed from the easy-to-spot phishing scams we’re used to.
The illusion of authenticity in BEC scams is what makes them so dangerous and effective. As per the Australian Competition & Consumer Commission (ACCC), Aussies lost over $227 million to BEC scams in 2021 alone. That’s a pretty stark indication of the scale and impact of these scams.
Small to Medium Enterprises (SMEs) are particularly vulnerable to BEC scams. This is because they have limited resources compared to larger corporations.
This makes them attractive targets for BEC scammers.
In this article, we’ll go over the threat of BEC scams, offer insight into spotting potential scams, and provide actionable steps that SMEs can take to protect their digital and financial assets.
Understanding the BEC Scam
As we mentioned above, a BEC scam is a type of targeted attack where cyber criminals impersonate a company’s senior executive to trick employees or other businesses into transferring money or revealing confidential information.
It’s such a successful form of cybercrime because it bypasses traditional security measures by exploiting a vulnerability that can’t be easily patched – human error.
Generic phishing attempts send out masses of emails hoping someone will take the bait.
BEC scams, however, are different. They’re often highly sophisticated, targeted, and well-researched.
Attackers conduct extensive reconnaissance to understand the organisation’s structure, operations, and communications of their target.
They might spend weeks or even months studying their intended victims. They’ll learn the ins and outs of their roles, responsibilities, and relationships with others within the organisation.
Their approach is meticulous. And it allows them to craft highly convincing email content that can fool even the most vigilant recipient.
BEC Scam Techniques
BEC scammers employ a number of techniques to make their email impersonation credible.
They often use email spoofing, where the email appears to come from a legitimate source. Or, they compromise actual email accounts through malware and social engineering.
Attackers can also manipulate the email reply chain. Meaning they can redirect responses to an email address that they control.
So what’s the end game? Typically it involves a request for a money transfer to a fraudulent account or an urgent demand for confidential data.
Remember, they’ve built up to this. By this point, the request often appears legitimate, coming from a trusted individual. As such, many recipients unwittingly comply, leading to financial losses or data breaches.
The BEC scam is effective because it plays on two fundamental aspects of human nature – trust and authority. It is therefore critical to understand its mechanics to reduce your risk and protect your business.
The Rising Threat of BEC Scams
The threat of BEC scams is growing significantly, especially for SMEs. From 2021-2022 the ACSC saw an average loss of $64,000 per report of BEC compromise.
Western Australia was the worst hit state during this time period, with an average loss of $112,000 per successful BEC attack.
In a notable incident from July 2021, attackers defrauded an Australian finance company of more than $600,000 through a cleverly executed BEC scam.
The attackers presented a fraudulent invoice that convincingly mirrored one from a familiar business partner. Unwittingly, the finance company paid the invoice, not realising the bank account details had been subtly changed to an account controlled by the attackers.
The stolen funds were then obscured through purchases of cryptocurrency, gold bullion, and various other transactions, including direct cash withdrawals.
Fast forward to April 2022, an operation named “Operation Dolos”, involving AFP Cyber Command, NSW Police, and Victoria Police led to the arrest of a member of the syndicate responsible for laundering the proceeds.
$140,000 of the stolen funds were recovered and returned to the defrauded firm.
How to Identify a BEC Scam
Understanding how to identify a BEC scam is crucial to avoid falling into their traps. Here are some key signs.
- Unexpected Email Request for Financial Transfers: This is perhaps the most obvious sign. Be cautious if you receive an unusual email request for a money transfer, especially if it’s urgent or confidential. Scammers often impersonate senior executives or business partners to make the request appear legitimate.
- Changes to Established Banking Details: Take heed if you receive an invoice or payment request where the bank account details have changed without prior notification. Before making any payment, verify the new details with the supposed sender using a different communication channel.
- Poor Email Etiquette: Watch out for emails with poor grammar and spelling, or odd phrasing. Also, pay close attention to any discrepancies in email addresses or domain names. They might appear similar to the legitimate ones but often have slight alterations. See below for an example.
- Unexpected or Last Minute Changes to Business Agreements: Scammers may pose as vendors or clients and make last-minute changes to ongoing contracts, particularly concerning payment or delivery details.
Types of BEC Scams
There are different variants of BEC scams. Each has its own unique approach but ultimately shares the same goal – to trick you into sending money to the wrong account. Two notable variants include:
- CEO Fraud: In this scenario, cybercriminals impersonate a high-ranking executive, often the CEO, sending an email to an employee with the authority to make payments. The message typically requests an urgent or confidential money transfer.
- Invoice Scam: Here, attackers pretend to be trusted vendors or suppliers. They send counterfeit invoices or, in more sophisticated instances, infiltrate genuine email threads. The invoices often look legitimate but feature new bank account details.
Awareness is your best defence against BEC scams. By learning to spot these signs and variants, you can significantly reduce your business’s risk of falling victim to these scams.
Effective Strategies to Prevent BEC Scams
While the sophistication of BEC scams continues to grow, there are several effective strategies your business can adopt to mitigate the risk:
- Verify Requests: Always independently verify any requests for money transfers or changes to payment details. Do not solely on the contact information provided in the suspicious email. Instead, use previously known contact details or directly reach out through a different communication channel.
- Multi-Factor Authentication (MFA): Implement MFA for all email accounts and systems within your organisation. MDA adds an additional layer of security, making it more difficult for attackers to gain access even if they have your password.
- Implement Secure Email Gateways: Deploying secure email gateways can help filter out malicious emails and phishing attempts, reducing the likelihood of a BEC scam reaching your inbox.
- Regular System Updates: Ensure your systems and software are regularly updated. Cybercriminals often exploit vulnerabilities in outdated systems, so keeping everything updated is vital.
- Monitor Financial Transactions: Regularly check your financial transactions for any irregularities, such as a higher than usual number of invoices from particular vendors, or frequent changes to vendor bank details.
What Else Can You Do?
In addition to these technical measures, human factors also play a critical role in preventing BEC scams. This is where effective training and robust cyber security policies come in:
- Employee Training: Regular and comprehensive cyber security training can help employees understand the threats they face and how to respond. They should know how to spot potential BEC scams and what to do if they suspect a scam.
- Strong Cyber Security Policies: Implement clear policies around financial transactions and communications. For instance, enforce a policy that requires multiple approvals for significant financial transactions, or a policy that mandates a phone call or face to face confirmation for changes to payment details.
Remember, protecting your business against BEC scams is a shared responsibility that involves technical safeguards, operational policies, and well-informed employees. Adopt these strategies, and you can significantly decrease the likelihood of falling victim to these attacks.
Responding to a BEC Scam
Here’s what to do if your business has fallen victim to a BEC scam.
What to Do If Your Business Falls Victim to a BEC Scam
- Respond Immediately: As soon as you detect a BEC scam, it’s crucial to act quickly. Start by contacting your financial institution to stop the payment. If the funds have been transferred to another Australian bank, your bank can submit a recall of funds request. However, success depends on how quickly this is done and the cooperation of the receiving bank.
- Secure Your Systems: Check and secure your email environment, as well as other systems, to prevent further compromise. It may be necessary to change passwords and verify the security of your email accounts.
- Collect and Preserve Evidence: Gather all relevant information about the scam, including email content, transactional details, and any other correspondence related to the scam. This can assist law enforcement in their investigations.
The Importance of Immediate Response and Reporting
Speed is of the essence when responding to a BEC scam. The quicker you act, the higher the chances of recovering your funds. Notifying the appropriate authorities promptly also increased the likelihood of apprehending the scammers and helps in preventing others from falling prey to similar scams.
- Reporting the Scam: Report the scam to your local police and the Australian Cyber Security Centre (ACSC) through the ReportCyber portal. If your business is regulated by an industry body like ASIC or APRA, make sure to inform them as well.
- Notifying Staff and Customers: If appropriate, inform your staff, clients, and suppliers about the incident. This transparency allows them to be cautious about potential scams.
Dealing with a BEC scam can be challenging, but a swift response can mitigate the damage. And remember, the best defence against BEC scams is a proactive approach.
Understanding the workings of BEC scams, learning how to identify them, and knowing the steps to take if victimised are critical for every business. However, prevention remains the best cure.
By enforcing strict cyber security measures, implementing continuous employee training, and maintaining a healthy dose of scepticism, you can significantly reduce your vulnerability to these scams.
More Like This
Two-factor authentication (2FA): It's a term that every internet user in the 21st century should be familiar with, and for good reason. Given the nature of threats to digital security, 2FA serves as a crucial additional check that ensures users are who they say they...
IntroductionIf you haven’t implemented the ACSC Essential Eight, then it’s time to start paying attention. That’s because the Essential Eight is one of the easiest ways you can protect your organisation from adversaries. And with the sharp rise in cybercrime affecting...
Malware is a problem for businesses of all sizes. It can be used to steal sensitive data, disrupt operations, and cost thousands or even millions of dollars in lost productivity and remediation expenses. As a business owner, it’s important to understand the various...