Latest News

Business Email Compromise an increasingly common cybercrime tactic today that doesn't rely on technical vulnerabilities at all — it relies on you. Could you be putting your organisation at risk?

Business Email Compromise is a social engineering technique used by cybercriminals in which they pose as a business or member of a business in order to execute fraudulent payments. In order to effectively defend against scams like this, you have to first understand how they are executed. 

How Does Business Email Compromise Work?

In layman’s terms, a cybercriminal will write an email pretending to be from a known contact or organisation (e.g. your bank), and request that a payment be processed – instead of sending the funds to a legitimate source, the payment will go to them.

Business Email Compromise can be carried out a number of ways:

• Phishing: Phishing emails are sent to large numbers of users simultaneously in an attempt to "fish" sensitive information by posing as reputable sources; often with legitimate-looking logos attached.
• Spear Phishing: This is a much more focused form of phishing. The cybercriminal has either studied up on the group or has gleaned data from social media sites to con users.
• Online Research: LinkedIn, Facebook and other venues provide a wealth of information about organisational personnel, as do their company websites. This can include their contact information, connections, friends, ongoing business deals and more.

In some cases, cybercriminals may only spoof an email address, and in others, they’ll directly breach the target’s account. Once a cybercriminal has gained access to a target’s email address, they can begin sending payment requests or simply redirect all invoices to a private folder for their perusal. Whether they’re redirecting incoming or outgoing funds, the end result is still the same — your business loses money. 

Alternatively, cybercriminals can simply intercept an important financial document such as an invoice. They can either change the payment details or inform the recipient that the details have changed, substituting their own bank account for the business’. 

Is Business Email Compromise A Serious Threat?

Let’s look at the facts — Australians lost $128M to Business Email Compromise scams in 2020.

If you’re sceptical of how this type of scam could cause so much damage, consider the average amount you’re sending or receiving via wire transfer or invoice payments. In April 2020, one small business lost $15,482 in an instant when a cybercriminal intercepted a PDF invoice and redirected the funds to their account. 

If just one fraudulent or misplaced email could cost you tens of thousands of dollars, it quickly adds up. That’s why you need to understand how Business Email Compromise works and how to defend against it. 

Who Are Common Targets For Business Email Compromise?

While the CEO is often a target, cybercriminals can do plenty of damage by going after other members of an organisation. There are a number of key, high-value targets that make it worth the cybercriminal's time to go after. 

Whether it's their authority or their access to confidential information, these groups are all at risk for Business Email Compromise:

• Financial Staff Members: While the finance department is especially vulnerable in organisations that regularly engage in large wire transfers, smaller businesses' payroll data is also of high value to cybercriminals. 
• Human Resources: Similar to finance, HR is a key target for the data they store on employees, including birthdates, medical data and more, all of which are of high value to cybercriminals. 
• C-Level Executives: You don't have to be the CEO to be a high-level target. CFOs have access to financial data, CTOs have access to login info, and everyone at this level has the authority to execute wire transfers and make large purchases.
• IT Management: The IT manager and IT personnel with authority over access controls, password management, and email accounts are also high-value targets. 

How Can You Stop Business Email Compromise?

1. Know Your Targets:  By noting the above listed key targets, you can examine the role they play in cyber security, and how their access and authority is being protected:

• Review social/public profiles for job duties/descriptions, hierarchical information, out of office detail, or any other sensitive corporate data.
• Identify any publicly available email addresses and lists of connections.

2. Defend Your Organisation:  Implementing the right range of cyber security solutions can help to protect common points of penetration for cybercriminals:

• Email filtering
• Multi-factor authentication
• Automated password and user ID policy enforcement
• Comprehensive access and password management
• Whitelist or blacklist external traffic
• Patch/update all IT and security systems
• Manage access and permission levels for all employees
• Review existing technical controls and take action to plug any gaps

3. Implement A Robust Security Policy:  You need to dictate how members of the organisation, top to bottom, contribute to your cyber security. Everyone with access to your IT environment should follow these best practices:

• Don’t open attachments or click on links from an unknown source.
• Don’t use USB drives on office computers.
• Follow a Password Management Policy (no reusing passwords, no Post-it Notes on screens as password reminders, etc.).
• Participate in mandatory security training.
• Learn to recognise phishing emails.

4. Plan Ahead To Mitigate Cyber-Risk: You need to develop a comprehensive cyber-incident response plan for your organisation. Make sure to test it regularly, and update it to address any shortfalls. Make sure to implement your plan properly – it won't work if your staff doesn't know about it, and can't participate in it:

• Executive leadership must be well informed about the current level of risk and its potential business impact.
• Management must know the volume of cyber incidents detected each week and of what type.
• Understand what information you need to protect. Identify the corporate "crown jewels," how to protect them and who has access.
• A policy should be established as to thresholds and types of incidents that require reporting to management.
• Best practices and industry standards should be gathered up and used to review the existing cyber security program.
• Consider obtaining comprehensive cyber security insurance that covers various types of data breaches.

5. Test Against Phishing: Share these tips with your employees to ensure they know how to spot a phishing attempt:

• Genetic content: Cybercriminals will send a large batch of emails.  Look for examples like "Dear valued customer."
• “From” Email Address: The first part of the email address may be legitimate, but the last part might be off by a letter or may include a number in the usual domain.
• Urgency: "You've won! Click here to redeem a prize," or "We have your browser history pay now or we are telling your boss."
• Check Links: Mouse over the link and see if the link’s destination matches where the email implies you will be taken.
• Misspellings, Incorrect Grammar, & Odd Phrasing: This might be a deliberate attempt to try and bypass spam filters.
• Don’t Click Attachments: Virus containing attachments might have an intriguing message encouraging you to open them such as “Here is the schedule I promised.”
  
  

Whether You’re An Easy Target Or Not Is Up To You

The bottom line is that everyone in your organisation, top to bottom, is a potential target. Make sure everyone is following cyber security best practices and is protected. 

If you need expert assistance defending against cybercriminals and training your staff to recognise social engineering scams, get in touch with CyberUnlocked.