The Australian Cyber Security Centre (ACSC) has released a new publication – Protecting Against Business Email Compromise – to help Australians defend against these deceptive and expensive scams.
Business email compromise is when criminals use email to abuse trust in business processes to scam organisations out of money or goods. Criminals can impersonate business representatives using similar names, domains and/or fraudulent logos as a legitimate organisation or by using compromised email accounts and pretending to be a trusted co-worker.
Head of the Australian Cyber Security Centre, Abigail Bradshaw, CSC, said there has been a significant increase in the use of business email compromise (BEC) scams by cyber criminals: "This type of fraud has been used to hoodwink many Australians and Australian businesses, out of often very large sums of money."
Common scams associated with business email compromise include:
- Invoice fraud: Criminals compromise a vendor’s email account and through it have access to legitimate invoices. The criminals then edit contact and bank details on those invoices and send them to customers with the compromised email account. The customer pays the invoice, thinking they are paying the vendor, but instead send that money to criminals’ bank accounts.
- Employee impersonation: Criminals compromise a work email account and impersonate a co-worker via email. Criminals can use this identity to commit fraud in a number of ways. One common method is to impersonate a person in power (such as a chief executive officer or chief financial officer) and have a false invoice raised. Another method is to request a change to a worker’s banking details. The funds from the false invoice or the worker's salary is then sent to criminals’ bank accounts.
- Company impersonation: Criminals register a domain with a name very similar to a large, known and trusted organisation. Criminals then impersonate the organisation in an email to a vendor and request a quote for a quantity of expensive goods, like laptops. Criminals negotiate for the goods to be delivered to them prior to payment. The goods are delivered to a specified location, however, the invoice is sent to the legitimate organisation, who never ordered or received the goods.
"In 2019-20 financial year there were 4,255 reports of BEC scams reported through the ACSC’s ReportCyber tool, representing losses of over $142 million. This advisory will help you to identify scams, prevent email accounts from being compromised, and prevent damage to your business reputation," Bradshaw explained.
The Protecting Against Business Email Compromise publication, and other easy to follow cyber security information and advice, is available at cyber.gov.au. You can report cyber crime by going to www.cyber.gov.au and ReportCyber, providing a single online portal for individuals and businesses on behalf of federal, state and territory law enforcement agencies.
If you have been the victim of business email compromise, follow these steps as soon as possible:
- If you've sent money or banking details to a scammer, contact your bank immediately;
- Report the incident via ReportCyber; and
- If any of your email accounts have been compromised, change your password for your email account(s), notify anyone affected, and protect your stakeholders with a warning notice on your website informing people of the scam.
Bradhsaw added, "This advisory will help you to identify scams, prevent email accounts from being compromised, and prevent damage to your business reputation."
The Australian government Information Security Manual (ISM) assists in the protection of information that is processed, stored or communicated by organisations’ systems. The Strategies to Mitigate Cyber Security Incidents complements the advice in the ISM.