Today’s blog post discusses Business Email Compromise, or BEC as it is commonly referred to. We look at a definition as provided by the Australian Cyber Security Centre (ACSC), discuss the impact of BEC to Australian businesses and address steps that you can take to ensure your business is protected.
BEC explained
As defined by cyber security professionals at the ACSC, “Business email compromise is when criminals use email to abuse trust in business processes to scam organisations out of money or goods.”
They reveal that criminals rely on BEC to gain access to internal information by impersonating business representatives while using compromised email accounts, and provide examples of common scams linked to BEC:
- Invoice fraud – through access to an internal email account, criminals can replicate information from past invoices, making changes only to bank details, then request payment from unsuspecting customers.
- Employee impersonation – after gaining access to a compromised email account, criminals pretend to be a senior staff member and raise a seemingly legitimate invoice or request for an employee’s bank account details to be changed to their own to access money.
- Company impersonation – criminals register a domain name that is similar to a well-known company’s existing domain name and submit an order for expensive goods, arranging for delivery prior to payment. The invoice is sent to the legitimate company who is unaware of the order and delivery, and is left to pay the bill.
The impact of BEC
Unfortunately, BEC is a common type of business fraud, and the reality is that you may come across it at some point. The ACSC provides statistics from the 2019-20 period, noting the significant dollar amount lost through these types of scams in Australia alone:
“In 2019-20 financial year there were 4,255 reports of BEC scams reported through the ACSC’s ReportCyber tool, representing losses of over $142 million.”
Protecting your business
This article from leading platform for Internet developments, Circle ID features .au registrar and brand services provider CSC, who focus on 2 key areas of protection to consider in combating BEC scams:
- Technical protection; and
- Staff training
For technical protection, CSC highlights the importance of using an email authentication protocol such as Domain based Message Authentication, Reporting and Conformance (DMARC). They also suggest that businesses follow a robust monitoring process to gain a better understanding of the wider phishing threat landscape.
When it comes to staff training, CSC advises businesses to incorporate regular security awareness training and education to teach employees what to look out for and the process to follow if they encounter a suspicious email. Staff are the key entry point for BEC scams which means investing in ongoing training and support is crucial.
BEC is a major threat to Australian businesses that could potentially result in a huge loss of money and take some time to recover from, which is why we strongly recommend you take action in preventing these types of attacks. For more advice on strategies to keep your business safe get in touch with CSC to determine the best options or to report a cybercrime, visit the ACSC website.