As part of this year’s Scams Awareness Week, MailGuard has partnered with the Australian Competition & Consumer Commission (ACCC) to help shine a spotlight on identity theft and scams. This year’s theme is “Be yourself. Don’t let a scammer be you.”
Today’s key message focuses on staying protected from Business Email Compromise (BEC) scams.
Also known as whaling or CEO Fraud, these attacks typically involve cybercriminals impersonating senior executives with a personalised email and demanding urgent action from an unsuspecting recipient. These actions might include requesting an unapproved financial transfer or asking for valuable confidential information. BEC scams can lead to immensely costly and serious repercussions, including enabling scammers to gain access to valuable data that can aid in committing further instances of identity theft, widening their victim pool.
The Australian Competition & Consumer Commission (ACCC) found in its Targeting Scams report that businesses in Australia lost $132 million to BEC scams in 2019. It was the highest loss accrued across all scam types last year.
Our team at MailGuard intercepts a variety of BEC scams on a regular basis. The cybercriminals behind these scams use sophisticated techniques that allow them to illicitly assume identities, combining social engineering, email spoofing and malware.
For example, some BEC scams include confidential information within the email that only known to those with authority, like company banking details, registration numbers, specific email addresses, and so on. Hackers are obtaining this information by expanding the scope of their research to gather data on the company and individuals involved via the Dark Web or from previous data breaches. Before the first email is sent, the hackers normally conduct thorough reconnaissance to research the company. Often much of the information is available from company websites and social networks like LinkedIn. The scammers are able to find the organisational structure, contact details, locations and role titles of executives and employees, enabling them to steal the identities of professionals, suppliers and businesses to trick users.
Exploiting disruptions triggered by COVID-19
Unfortunately, these scams are exploding amid the volatility of the current climate.
BEC scams exploit the fragile psychological state of many professionals who are dealing with a torrent of challenges triggered by the ongoing COVID-19 pandemic. That might mean navigating changes to work processes while working remotely, or simply not being able to immediately contact or get in touch with their colleagues to verify the legitimacy of any unexpected, urgent requests. It’s not so uncommon for someone in a finance role to receive an email, supposedly from the CEO or other high ranking executive, requesting an unexpected bank transfer, like the below:
Staying protected from BEC scams
Cyber-attacks like these are unique in that they leverage not only technical deficiencies, but also people’s normal behaviours, their psychology and state of mind. To avoid getting tricked, here are a few tips you and your team can follow:
1) First, take your time
- If you receive an unexpected email, check who it was sent by. Examine the sender or reply-to address and check that it hasn’t been sent from a similar, but recently registered domain such as example.com instead of example.com.au, or c1ick.com instead of click.com. Be alert for strange sentence structures, or phrasing that’s uncommon to the apparent sender
- Ensure a formal payment or transfer process is well communicated within the entire office. If employees are ever in doubt about transferring funds, phone the apparent sender on a known number. If they’re not available, wait until they are. An enormous transfer is better to arrive later than to be lost without a trace to an overseas cybercriminal.
- Implement scam-proof approvals processes for financial transfers like multi-factor authentication (MFA), which require two employees to sign off on wire transfers.
2) Educate your staff
- Education is key. Ensure all employees are aware of the formal transfer procedures that are in place and what to do if they ever received unusual requests.
- Teach staff and employees what fraudulent emails look like. Show them real-life examples of BEC attacks that have occurred in the past and question them on how they would have responded to the scams.
- Executives should also learn to take special care when posting and sharing information relating to work schedules on social media sites.
In addition, the ACCC recommends the following measures to protect your devices & networks:
- Secure your devices by keeping your operating system, software and plug-ins up to date, and install current antivirus software.
- Research first and only buy software from a source you know you can trust.
- Protect your accounts and WiFi network with a secure password.
- Back-up your data regularly and securely. The Australian Cyber Security Centre explains how your business can back up your data.
To avoid becoming a victim of BEC scams, we also advise ensuring your business email security is up to scratch by adopting a strategic, multi-layered approach. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods and solutions, in the event that if one fails, the others will stop the threat.
You may already have native security from your email hosting provider, like Google or Microsoft, but it’s key to remember that no one vendor can stop all attacks. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a specialist third-party cloud email solution like MailGuard to complement Microsoft 365.
We recommend that you report any scam that you see or hear to the relevant authorities. Let this also be a good opportunity to re-evaluate your business’ cyber readiness and take proactive measures to help your teams become more cyber resilient. If you need more support to protect your business from email scams, reach out to us at firstname.lastname@example.org.
As part of Scams Awareness Week, we will be focusing on remote access scams tomorrow. Watch our blog for more updates.
One email is all that it takes
All that it takes to break into your business is a cleverly-worded email message. If scammers can trick one person in your company into clicking on a malicious link they can gain access to your data.
For a few dollars per staff member per month, you can protect your business with MailGuard's predictive and advanced email security.
Talk to a solution consultant at MailGuard today about securing your company's network.
Why not stay up-to-date with MailGuard's latest blog posts by subscribing to free updates? Subscribe to weekly updates by clicking on the button below.