Don't Be Fooled: Business Email Compromise Scamming Aussie Businesses
Small businesses are the backbone of the Australian economy. But they're also a prime target for hackers, especially when it comes to devious tactics like Business Email Compromise (BEC).
BEC scams are a real threat, costing Australian businesses a staggering $227 million in 2021 according to the Australian Competition and Consumer Commission. But since then BEC reports have increased at an alarming rate. Cyber Security firm CyberCX’s Digital Forensics and Incident Response (DFIR) team reported a 37% increase in BEC incidents in their 2023 Year in Review report.
Here's why BEC is so dangerous for small businesses in Australia:
Highly Targeted: Scammers prey on the trust-based relationships common in smaller businesses. They might impersonate a supplier, CEO, or even a colleague, whilst also being able to manipulate invoices, and alter mailbox permissions to give access to financial accounts.
Data Breaches: Unfortunately, data breaches are becoming more common. Hackers can exploit stolen login credentials or infiltrate email accounts to gather intel and launch convincing BEC attacks. Attacks aren’t always for financial gain, sometimes the aim of the BEC attack is to gain access to confidential information.
Financial Widespread Impact: Even a small loss from a BEC scam can be devastating for a small business. The ACCC reports the average loss is around $11,000, but some businesses have been tricked out of much more. This is specific to BEC, as the average small business loss for overall cyber attacks is $46,000 (ASD, 2023).
So, how can you protect your business from BEC scams? Here are some key steps:
Employee Training: Educate your staff on BEC tactics. Teach them to be wary of unsolicited emails, especially those requesting urgent payments or changes to account details.
Multi-Factor Authentication: Implement multi-factor authentication (MFA) on all business accounts. This adds an extra layer of security beyond just a password. Ideally the MFA factors contain an inference factor such as a biometric scan as this adds more security than just a password + temporary SMS code.
Verification is Key: Be aware of changes to payment methods or instructions. Double-check any request for a change in payment instructions, especially if it comes via email. Always call the sender using a verified phone number to confirm the request. Remember the impersonated email address could be the business owner/CEO, which makes it easy for the attacker to gain employee, customer or supply chain trust. This can be mitigated with a strict payment policy that all employees are aware of and follow.
Cyber Security Audits: Consider regular cyber security audits to identify vulnerabilities in your systems and processes.
By following these steps and staying vigilant, you can significantly reduce the risk of falling victim to a BEC scam. Remember, if something seems too good to be true, it probably is. Don't hesitate to verify any suspicious requests before taking action.
References:
CyberCX Digital Forensics & Incident Response 2023 Year in Review
ASD Cyber Threat Report 2022-2023
Microsoft - What is Business Email Compromise - https://www.microsoft.com/en-au/security/business/security-101/what-is-business-email-compromise-bec#:~:text=Business%20email%20compromise%20(BEC)%20is%20a%20type%20of%20cybercrime%20where,can%20use%20in%20another%20scam.