What is Business Email Compromise? and How to Avoid it

 It can take many forms, but in most cases, scammers will target employees with access to company finances, attempting to trick them into bypassing checks and balances and transferring money to bank accounts the crooks control. Often, they will gain access to a company’s network via spear-phishing, malware and fake email accounts and websites.

Undetected, they may spend long periods researching its vendors, billing systems and even its employees, especially top executives or those in accounts payable.

Next, they will select a legitimate invoice from a trusted associate or supplier and modify it, for example, by changing the bank account and contact details. They will then send this “invoice” to the targeted company from an email address that looks similar to that of the supplier or associate, requesting payment.

The Brisbane City Council recently suffered such an attack, reportedly losing $450,000 after making nine transfers to the bank accounts of BEC scammers.

The cybercriminals pretended to be one of the council’s professional services suppliers, provided fake invoices and email addresses, and informed the council that their bank account details had changed. In an even more sinister version of BEC, scammers will attempt to impersonate a senior executive by studying his or her email communications style and travel plans.

When the time is right, often when that executive is out of the office, they will send an email that looks like it’s from him or her to a targeted employee, requesting that money be urgently transferred. They may even follow this up with a phone call or impersonate other senior executives.

In one case recently reported by the Australian Cyber Security Centre, cybercriminals posed as the CEO and chief operating officer (COO) of a large business and then sent a fake email, purporting to be from the CEO (who was travelling at the time), requesting a large payment be made by the financial controller.

A second email, purporting to be from the COO, was then sent to the financial controller. This email contained a false email trail approving the CEO’s request for payment. Not realising this was a scam, two payments were made to overseas bank accounts, together totalling almost US$500,000.

Unfortunately, BEC attacks are on the rise in Australia. Losses of over $20 million were reported to the Australian Cybercrime Online Reporting Network in 2016/17 – a whopping 230 per cent jump from $8.6 million the previous financial year. But because of misreporting and underreporting, these numbers are believed to be just the tip of the iceberg. So how can you protect your organisation from BEC?

Since employees are usually the target, equip them with the skills and tools to spot threats and respond effectively.

Communications

Don’t just rely on email. Encourage employees to actively verify money transfer requests, for example, by walking into senior executives’ offices or by speaking to them directly on the phone.

Verification

Have systems in place to validate all changes in vendor payment details. If this is done by phone, ensure previously known phone numbers are used, not those in the email request.

Protect with technology

Independent third-party verification systems such as EFTsure’s “Know Your Payee” Solution automate payment checking and supplier verification, saving time on manual processes and reducing human error.

Emails

The FBI advises establishing intrusion detection system rules that flag emails with extensions that are similar to company emails. Also create an email rule to flag email communications where the “reply” email address is different from the “from” address shown. And introduce colour code virtual correspondence so emails from employee/internal accounts are one colour and emails from non-employee/external accounts are another.

Test your systems

Tools exist to help you assess how vulnerable your company is to phishing and malware and where improvements should be made.