Craig McDonald 07 June 2018 14:23:59 AEST 10 MIN READ

How hard/easy is it to defraud your company?

You have your solicitor look over contracts before they’re signed.
Your accountant examines your books to find any irregularities.
There are checks and balances in place to monitor purchases, invoicing, payroll and transactions of every kind.
You’re confident that your company’s financial integrity is well protected, but what about the online realm?


Online fraud is growing fast

BEC (Business Email Compromise) fraud is now one of the most harmful corporate fraud categories identified by the FBI. The FBI only began tracking BEC cybercrime statistics in 2013 but during that time they have seen the category grow explosively.
The FBI’s Internet Crime Complaint Center (
IC3) reports that “BEC scams continue to grow, evolve, and target businesses of all sizes.

Since January 2015, there has been a 1300 % increase in identified exposed losses, now totalling over $3 billion.” The FBI’s
projections for the cost of cybercrime in 2018 put the expected damage bill at more than US$12 billion. Consider for a moment that the FBI’s stat’s are just for the United States and it’s clear that we are looking at a very big problem. 


Committing fraud online is simple

From the POV of the cybersecurity industry it’s readily apparent that there are 2 key reasons that cybercrime is growing so fast:

  1. this is a relatively new problem that most companies are still coming to grips with, and
  2. online fraud is a relatively easy and low-risk crime

The main characteristic a cybercriminal needs is a disregard for morality. The days when cybercriminals needed high-level technical skills are long gone. Any motivated crook with an internet connection can get into the fraud racket with very little skill required. They can buy and download easy-to-use scam kits from retail style websites on the dark web that make committing online fraud almost as simple as publishing an email newsletter.

The WEF’s 2018 Global Risks Report shows that cyber-attacks reported by businesses almost doubled in the five years to 2017; from 68 attacks per business to 130 per business.

Now, contrast those figures with this one, from a Feb 2018 Inc article; 70% of US companies aren’t yet adequately prepared for cyber-attacks.

With scams being easier than ever to run and companies still being relatively unprepared to counteract them, it’s no wonder the fraud numbers are skyrocketing.


Fraud targets people

180601-defraudStealing from businesses is the objective for online fraudsters, but their techniques target people inside those organisations.

Typical BEC fraud is a relatively simple crime.

Criminals will do a bit of basic research on a company through social media and google searches, looking for the names and contact details of the company’s staff and management. Once they have a list of potential victims the fraudsters send them phishing emails designed to obtain their account login details.

Phishing works because the criminals running the scams use recognisable brand names to hide their true intentions.

Here’s a good example of a phishing email that MailGuard recently intercepted. This one is trying to mislead victims into giving up their email passwords by impersonating a OneDrive notification.


The email tells intended victims that there is a “document received via ȪneḎrive” and they should click on a link titled “review document.”

The link takes the victim to a well-crafted phishing page that looks like a legitimate login portal with graphical branding. The victim is asked to submit their Microsoft login credentials which are then collected by the scammers.



Above is another recent example of a phishing scam that used Xero branding to try and trick victims.

The scam message informs the recipient that they have received a large payment, AU$145.008.31, on the Xero system and they can view their payment by signing in with their Microsoft or Xero login credentials.

If the intended victim clicks on the link in the email they are taken to a fake Microsoft branded login page, shown in the screenshot below:


Once they have a victim’s login details criminals can use that information to access their company email account and search through their inbox for contact lists, financial data, transaction records - everything they need to defraud the organisation.


Inside out

Online fraudsters will leverage the authority of managers inside the company to achieve their ends. If they can use a hijacked email account to
impersonate someone inside the company it’s relatively easy to persuade others to do their work for them.

A simple email from the financial controller to a bank contact could lead to the theft of large sums of money.

A message from the CEOs EA to the accounts department could allow the fraudster to divert funds intended for a legitimate payee to their own bank account.

The request may be as innocuous as providing new account details for one of the company’s creditors.

These are the kind of uncomplicated but brutally effective BEC fraud and phishing techniques criminals are using to steal from companies, and they keep getting away with it because there are so many companies making it easy for them.


Don’t make it easy for scammers

In the past I’ve written about several breathtakingly simple but incredibly lucrative frauds that resulted in companies losing millions (if you’re curious, take a look at this article) and the element they all have in common is that the scammers infiltrated their victim’s businesses by using email as bait.

  • Email is so ubiquitous - everyone uses it almost every day - and people can become very complacent about what they click on.
  • The tools that cybercriminals use are cheap and easily accessible.
  • The way they attack companies using their own email infrastructure means that they go after companies that have weak defences.

Defending a business from BEC fraud means implementing multiple layers of protection:

  1. endpoint antivirus software
  2. cloud-based email filtering
  3. raising staff awareness about security

Criminals are hoping to get access to company’s valuable data through deception, so we need to build protective strategies that educate individuals about the potential threats as well as placing defensive boundaries around them.

Cybercrime is booming, not because the criminals behind it are brilliant strategists or dedicated technicians; it’s booming because companies aren’t protecting themselves well enough yet.

Every business recognises the need for watertight legal documents and good accounting practices, but the adoption of robust cybersecurity is lagging well behind the scale of the problem.

If we want to keep our businesses safe from online fraud we need to make it hard for the crooks so they’ll give up and look for other ways to make an easy dollar.


Cybersecurity action

The explosive growth of BEC fraud requires a multi-layered approach to security that includes virus scanning software, staff training and email filtering.

There’s never been a better time to take on the challenge of breach-proofing your company. The old saying goes ‘prevention is better than cure’ and that’s certainly the case with cybersecurity.

If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.

SRC_book stack_HP

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.”
- Rob Sloan, Cybersecurity Research Director, Wall Street Journal.

Craig_McDonaldHi, I’m Craig McDonald; MailGuard CEO, founder of GlobalGuard and cybersecurity author.

Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter.

I’d really value your input and comments so please join the conversation.