Business owners need to watch out for a sophisticated email scam that has cost somes business more than $300,000.
SME's with little security knowledge are being urged to review their security around email and payroll systems as hackers gain control of email accounts and impersonate payroll staff and company directors.
The scam is known as a ‘business email compromise’ (BEC). A cyber criminal gains access to legitimate business email account which is usually a senior staff member or employees working in payroll or accounts payable.
The cyber criminal uses the email to communicate with your clients and telling them that your bank account details have changed. Deposits are then going into the wrong account from your customers which is emptied. Your customers think they have paid you and you have little chance of recovering the funds. The other tactic is for staff to recieve communications that they think are from senior staff asking them to make payments to suppliers or new suppliers.
Because the email account is compromised, the cyber criminal can be sitting on emails that come back asking for clarification and answer these as if they were the staff member and then remove the trail of emails so the compromsied account holder is none the wiser.
So we always recommend phoning and speaking with the staff member and getting clarification. Fraudsters will often put communications in saying, I am busy so just email me or text me (if the mobile is compromised). Don't listen to this. Your boss will be more angry you lost 10K than being interrupted for clarification.
According to The Australian Competition and Consumer Commission’s (ACCC) Scamwatch division, the counts of BEC scams has increased by 30+% in 2018. Surprisingly only $2.8 million has been stolen by this method which is far less than I would have expected.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC deputy chair Delia Rickard said in a statement.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business, however, the largest number of reports and losses came from medium-sized businesses, including one that lost more than $300,000.”
While BEC scams have been an ever-present threat to businesses across the world, SMEs are often warned about more common scam variants such as phishing attacks or classic virus-centric malware attacks.
However, senior manager at web security business HackLabs Michael McKinnon tells SmartCompany BEC is increasing in prevalence due to both its success and ease of execution.
McKinnon says he’s seen clients who have been defrauded out of six-figure invoices due to BEC attacks, and warns once hackers know a business is an easy target, they’ll keep on trying.
“Once they’ve successfully attacked and gotten money from the business, these crooks will put those businesses on a sort of ‘VIP list’, and continue to attack them even harder,” he says.
“Businesses need to avoid this happening to them at all costs, because once it does they’ll be back again for a second and third payday.”
Reports to Scamwatch show BEC-style scams are responsible for 63% of all businesses losses reported to the ACCC over the past year, with the average loss amount being $30,000.
For SMEs running on razor-thin margins, a BEC attack can not only mean money down the drain but also a potential end to the business. McKinnon also warns hackers with access to an email account can easily reset passwords for any other accounts using the email, opening the gate for further potential compromise.
Unfortunately for business owners, it’s much harder to protect yourself from BEC compared to other scam variants, as spoof emails can come from anywhere — even external to the business. McKinnon advises business owners to enable two-factor authentication on their accounts wherever they can, along with implementing training regimes for staff around the risks.
“Security awareness training is very important, so talk to all of your staff and warn them to be extra mindful around this type of attack,” he says.
The ACCC advises businesses consider a “multi-person approval process for transactions over a certain dollar threshold and keep IT security up-to-date with anti-virus and anti-spyware software and a good firewall”.