Business email compromise is a form of email security compromise that aims to scam organisations out of money or goods. To clarify, criminals use email to abuse trust in business processes to perform their scam. And these type scams are on the rise in Australia as we see in the real estate industry.
Firstly, criminals can impersonate business representatives using similar names, domains and/or fraudulent logos as a legitimate organisation.
Secondly, they use compromised email accounts and pretend to be a trusted co-worker.
The scams generally connected with business email compromise include:
- Invoice fraud: Criminals compromise an email account, such as a vendor accounts department who have access to legitimate invoices. The criminals then edit the invoice, namely the bank details and send them to customers with the compromised email account. The customer unwittingly pays the invoice to the criminal’s bank account mistakenly thinking they are paying the vendor.
- Employee impersonation: Criminals impersonate a co-worker as they’ve managed to compromise their email account. In several ways, criminals can use this identity to commit fraud. Firstly, by impersonating a Chief Executive Officer or Chief Financial Officer for example, they can raise a fake invoice. Secondly, by requesting a change to a staff member banking detail. The staffers salary is then sent to criminals’ bank accounts, instead of their real account.
- Company impersonation: By registering a domain name that is very similar to a large, trusted organisation criminals can impersonate a company. Maybe one letter or character in the domain name is different. Criminals then request a quote for a quantity of expensive goods, like laptops, while impersonating the trusted organisation. All the while trying to negotiate the receipt of goods prior to payment. As a result, the goods are delivered to the criminals specified location, but the invoice goes out to the legitimate business.
How do I prevent my email accounts being compromised?
Be vigilant against phishing
Phishing scams appear as if they are sent from trusted individuals or organisations. As criminals can impersonate individuals & organisation well, this enables them to steal credentials using phishing techniques to do even more harm. They go on to use those compromised credentials to login and send out malicious or fraudulent emails to your contact list.
Not limited to just email, phishing scams are delivered via instant messaging, SMS, and social media, and often pretend to be trusted organisations such as:
- Police or law enforcement, either State or Territory
- Service providers such as telecommunications, postal services,
- Utilities like the power and gas companies
- Financial institutions such as banks, superannuation, mortgage brokers
- Australian Taxation Office, Centrelink and Medicare, or government services such as myGov.
Keep in mind that a reputable organisation will not call, SMS or email to verify or update your information. Companies such as Amazon, PayPal, Google, Apple and Facebook included.
To keep yourself, others safe, there are several simple things you can do when you receive unsolicited contact from organisations. Such as:
- Check the spelling of the sender’s domain name. Compare it to previous correspondence, to double check.
- Use spam and message scanning services to filter out potentially harmful content, offered by your email, SMS or social media providers.
- Think critically and be vigilant when receiving phone calls, messages, and emails
- Exercise caution while opening messages or attachments and clicking on links from unknown senders.
- Do not provide personal information for example, your usernames, PINs, passwords, passphrases or secret/security questions and answers) to unknown sources.
Some organisations have a security page outlining all the currently active scams used by criminals for their branding. In other words, visit their security page if a message seems suspicious. Better still contact the organisation via the contact details displayed on their official website. Call and ask if they’ve sent the email.
For more information on phishing, you can visit the Australian Cyber Security Centre (ACSC)’s Detecting Socially Engineered Messages publication
Use multi-factor authentication and strong passphrases
Better than the best password multi-factor authentication or 2FA as it’s also known, is one of the most effective ways to prevent unauthorised access to computers, applications, and online services. It authenticates staff credentials when accessing business email and systems. Therefore, adding in an extra security layer and making it much harder for criminals to access your systems. To clarify, it is possible for criminals to steal one type of credential but near impossible to steal the correct combination of credentials for any given account.
Multi-factor authentication can use a combination of:
- something the user knows (a passphrase, PIN or an answer to a secret question)
- something the user physically possesses (such as a smartcard, physical token or security key)
- something the user inherently possesses (such as a fingerprint or retina pattern).
For more information on multi-factor authentication, using google authenticator or see the ACSC’s Implementing Multi-Factor Authentication publication
Finally implement strong passphrases procedure within your organisation and ask staff to use either biometric, PIN or passphrase to lock your devices.
Have protective business processes in place
To verify and validate requests for payment and other sensitive information, establish a clear and consistent business process for staff members. Departments are likely to be targeted by scams, such as accounts, finances, or human resources teams. In other words, protect staff contact details from the public so as not to make them an easier target.
Conduct staff training to ensure staff know the warning signs:
- any change of bank details
- an urgent payment request or threats of serious consequences if payment isn’t made
- a request from someone in a position of authority of an unexpected payment
- an email address that doesn’t look quite right, such as the domain name not exactly matching the supplier’s company name.
Ensure staff are trained and have a clear understanding of how to
- verify account details,
- to think critically before actioning unusual requests, and
- have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
Help combat your business reputation from being used in scams
By compromising your systems criminals can gain access to a legitimate email account. So, it is imperative to develop and maintain good security controls. The ACSC offer a guide to implement security controls called Essential Eight Maturity Model. It is a very useful guide for those computers used by your senior executive teams or departments such as finance, and human resources.
Secondly, if your concerned about criminals from scamming others by using a domain that looks like yours consider registering extra domains. For example, those domains were replacing letters such as ‘l’ and ‘o’ in your organisation’s name with digits such as ‘1’ and ‘0’
Thirdly, you can check the certificate transparency website to check for domains masquerading as your business. Commercial entities can also provide this type of service
In addition, implement email verification if you are managing your own email server and domain like Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC). They specify the mail servers that are authorised to send emails on behalf of an organisation’s domain. In other words, these controls are designed to detect fake emails. To find out more information on how to implement email verification SPF and DMARC, check out the How to Combat Fake Emails
How do I recover from business email compromise?
Follow the following steps as soon as possible, if you have been the victim of business email compromise:
- contact your bank immediately, if you’ve sent money or banking details to a scammer
- report the incident via ReportCyber
- if you’ve been compromised, change your password for your email account(s), notify anyone that could be affected, and place a warning notice on your website informing people of the scam, to protect your stakeholders.
