4 minute read
AVOIDING BUSINESS EMAIL COMPROMISE SCAMS
from Motor Trade March 2021 NT
by Boylen
The Australian Cyber Security Centre is warning of “a significant increase” in the threat level from business email compromise (BEC) scams.
Over 4,250 BEC scams were reported in 2019-20, amounting to the theft of over $142 million.
“BEC scams occur when a hacker gains access to a business’ email accounts, or ‘spoof’ a business’s email so their emails appear to come from the company,” according to Scamwatch.
“The hacker then sends emails to customers claiming that the business’s banking details have changed and
that future invoices should be paid to a new account. These emails look legitimate as they come from one of a business’s official email accounts. Payments then start to flow into the hacker’s account.
“In other variations of the scam, the hacker will send an email internally to a business’s accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.”
REAL LIFE EXAMPLES
The ABC highlighted a sting (https://www.abc.net.au/news/2020-11-24/business-email-scam-tradies-computer-hacked-costs-51000/12817584) that cost one construction company $51,000, which it thought was paying to a contractor.
Criminals use a wide range of techniques in their search for a weak link. While these include email, instant message, SMS and social media tactics, they also employ old fashioned methods to supplement the scam.
“Scammers intercept legitimate invoices and change the details to include fraudulent payment information,” ACCC Deputy Chair Mick Keogh said.
“Another technique used by scammers is to impersonate the CEO of a company and request staff transfer funds to them for a variety of reasons, such as to purchase gift cards as a surprise for other staff,” said Mr Keough.
As an extension of this deception, fake callers to a company’s finance department will sometimes use a recording of a crying baby in the background to add pressure to finance staff who are looking at an email requesting that bank details be changed.
The caller cites the fake email (which they sent, because they have hacked the company’s email accounts). They claim to be a harassed personal assistant working from home with a crying baby and urgently need their boss’ bank account details changed so that he can be paid while he is overseas. (The scammers know the boss is overseas because he has posted it on social media.) The finance staffer takes pity on the caller and breaks security rules. The money is then sent to the criminal’s bank account, which they quickly drain of funds and then close.
Scamwatch (http://www.scamwatch.gov.au/) reports that “billing was the most commonly reported type of scam which includes business email compromise scams”.
SIGNIFICANT INCREASE
Head of the Australian Cyber Security Centre, Ms Abigail Bradshaw, said there has been a significant increase in the use of BEC scams by cybercriminals.
“This type of fraud has been used to hoodwink many Australians and Australian businesses, out of often very large sums of money,” she said.
“This advisory will help you to identify scams, prevent email accounts from being compromised, and prevent damage to your business’s reputation.”
The Protecting Against Business Email Compromise publication, and other cyber security information and advice, is available at cyber.gov.au.
You can report cybercrime by going to cyber.gov.au � and ReportCyber, providing a single online portal for individuals and businesses on behalf of federal, state and territory law enforcement agencies.
HOW TO PROTECT YOURSELF
• Training staff about correct procedures is a critical defence against scammers. Most cyber hacks and breaches are caused by humans, not technology.
• Always be wary of any change in bank details. Contact the supplier directly using a second, reliable mode of communication such as a known phone number to verify any request to change bank details.
• Consider a multi-person approval process for transactions over a certain dollar threshold with processes in place to ensure the business billing you is the one you normally deal with.
• Prevent your IT systems from being compromised. Keep your IT security up-to-date by regularly patching your systems and running antivirus software, and have a good firewall to protect your data.
The following tips are provided by the FBI (recognising that these scams are often global operations):
• Be careful with what information you share online or on social media. By openly sharing things like pet names, schools you attended, links to family members, and your birthday, you can give a scammer all the information they need to guess your password or answer your security questions.
• Don’t click on anything in an unsolicited email or text message asking you to update or verify account information. Look up the company’s phone number on your own (don’t use the one a potential scammer is providing), and call the company to ask if the request is legitimate.
• Carefully examine the email address, URL, and spelling used in any correspondence. Scammers use slight differences to trick your eye and gain your trust.
• Be careful what you download. Never open an email attachment from someone you don’t know, and be wary of email attachments forwarded to you.
• Set up two-factor (or multi-factor) authentication on any account that allows it, and never disable it.
• Verify payment and purchase requests in person if possible or by calling the person to make sure it is legitimate. You should verify any change in account number or payment procedures with the person making the request.
• Be especially wary if the requestor is pressing you to act quickly.
Visit www.scamwatch.gov.au to learn more about scams and how to protect your business.
: Subscribe to Scamwatch radar alertshttps://www.scamwatch.gov.au/news-alerts/subscribe-to-scam-alert-emails
To report cyber crime: https://www.cyber.gov.au/acsc/report
