ACSC warns Aussie businesses of tax-time email hacking campaigns

As tax time approaches, the ACSC is encouraging individuals, businesses and organisations to be alert, and aware of business email compromise (BEC) threats. BEC occurs when cyber criminals access email accounts aiming to steal sensitive and financial information or commit fraud by impersonating employees or company email accounts to obtain money or data.

Protective measures can help by:

• preventing your email accounts from being compromised;
• making it harder for a cyber criminal to impersonate you;
• protecting your business from falling victim to email fraud; and
• there are many easy steps and actions you can take now.

Turn on multi-factor authentication

Having multi-factor authentication increases the security on your email account. Multi-factor authentication means there are two checks in place to prove your identity before you can access your account. For example, you may need to supply an authentication code from an app as well as your password. Remember to use a strong passphrase for your email account if you cannot use multi-factor authentication.

Protect your domain names

A domain name is a string of characters – often words – that identifies you or your business to other people using the internet. This is the text that typically comes after the “@” symbol in an email address.

If your domain name expires, it will become available for anyone to purchase. A criminal could purchase your previous domain name and use it to impersonate you or your business by setting up an email address and contacting your customers. Your customers or contacts may recognise your domain name and believe you are still operating that email address, when in fact, they are really corresponding with a cyber criminal.

VIEW ALL

Remember to renew your domain names, even if you don't use these anymore. This will stop your digital identity from falling into the wrong hands. Find out when your domain names expire and set a reminder in your calendar to renew them ahead of their expiry.

Register additional domain names

A common fraud method cyber criminals use is to register a domain name which looks very similar to your business name. At a glance, email addresses made through fraudulent domain names may look similar enough to your own that your contacts may not realise they are not emailing the real you.

Consider registering similar domain names that could be used to confuse your contacts.

Using paypal.com as an example, here are some common lookalike domain name tricks that a cyber criminal might use to try and confuse someone:

• Remove letters – pypal.com
• Add letters – payppal.com
• Add additional words – paypalonline.com
• Use a different domain extension – paypal.net, paypal.au
• Rearrange letters – payapl.com
• Add a hyphen – pay-pal.com
• Add www to the start of the domain name – wwwpaypal.com
• Rearrange parts of the domain name paypal-au.com
• Replace letters with similar characters (e.g. numbers, capital letters or symbols) – paypa1.com, paypaI.com, pàypal.com

Set up email authentication measures

If you have your own business domain which you use for emailing, setting up email authentication protocols on your domain may help to prevent email spoofing attacks. This is where a cyber criminal sends an email pretending it's from your email address, without ever having to hack your email account.

Email spoofing is like sending a letter and forging who it was written by. Anyone can write a return address on an envelope; it doesn’t mean that’s where it’s truly from.

Email spoofing occurs when someone forges the “From:” field of an email to say that it was sent from an email address other than their own.

If someone tries to spoof your email address, setting up email authentication protocols will identify that those emails are not legitimate. These protocols help prevent spoofed emails from making it to their destination – these will normally go either to the recipient’s spam folder or won’t be delivered at all.

Have a discussion with your service provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also.

Protect your privacy

Cyber criminals can learn a lot about someone by doing a simple Google search. This information helps a cyber criminal appear more credible if they pretend to be you in an email.

Be careful posting information online that identifies:

• where you work;
• what your position is;
• your work email address;
• your personal email address; and
• if your email address can be found on various websites or forums, it may become a target for impersonation.

Visit the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au for more information about how to manage your information online.

Implement policies and procedures

If a staff member receives an email from a customer, colleague, or supplier with an unusual or unexpected request, they should find out if the email is legitimate before actioning on the request.

To ensure this, introduce policies and procedures to address security risks and help keep your business safe.

• Consider introducing an approval process for requests that ask to change payment details or make a large transfer.
• Verify any such requests by calling the sender. Call them on a known and verified phone number (not a phone number from the email, as this could be operated by a cyber criminal).
• Speak with the sender over the phone to verbally confirm the request or change.
• Ensure workers have clear guidance to verify account details and to think critically before actioning unusual requests.
• Have a reporting process to report threatening demands for immediate action, pressure for secrecy or requests to circumvent protective business processes.
• Training and awareness.

The best defence against email scams is training and awareness for your employees, including how to identify scams or phishing attempts.

Ensure your staff knows to always be cautious of emails with the following:

• requests for money, especially if urgent or overdue;
• bank account changes;
• attachments, especially from unknown or suspicious email addresses;
• requests to check or confirm login details;
• unexpected or suspicious links;
• incorporate, update and regularly repeat cyber security training and awareness among your employees to protect your business from cyber criminals; and
• remain vigilant and informed.

While it is one thing to have built up your defences to protect your information, it is best to remain on the lookout for evolving cyber threats and trends which could impact you at any time.

Stay up to date on cyber security threats and trends by becoming an ACSC partner.

[Related: Hackers exploiting 36 ‘significant’ vulnerabilities, CISA warns]