In the past year, Business Email Compromise (BEC) was one of the top three cyber crimes businesses reported to the Australian Cyber Security Centre. The cost of attacks that were reported total almost $84 million, with an average cost of $55,000 per incident.
It’s clear BEC is a top concern for businesses in today’s threat landscape, and with devastating consequences that include financial loss, disrupted operations, reputational damage, and data theft, it’s critical you can spot it in your inbox.
Today our tech experts will be helping you to understand what it is, what you should look for, and how you can support better cyber resilience against this scam.
What is Business Email Compromise?
BEC is a form of spear phishing, and it can cause long-term consequences for companies of all sizes. It involves cyber criminals impersonating trusted individuals over email, and tricking unsuspecting recipients into sending money or sharing sensitive information. It could involve gaining access to a company’s email account and sending emails directly, or using an email address that’s almost identical (known as domain spoofing). For the latter, the difference could just be a letter change that you don’t pick up at first glance.
What Does Business Email Compromise Look Like?
Over the years BEC attacks have become more sophisticated. Being aware of what this threat looks like is critical, so here are some of the tactics you should look out for.
Impersonation
Cyber criminals often impersonate the boss, CEO, CFO, or staff involved in the financial side of running the business. You should keep an eye out for requests that seem out of the blue, or emails sent from the wrong address that could indicate something’s not right.
Social Engineering
Social engineering is another common tactic, which helps cyber criminals to manipulate recipients and prompt action before they’ve had time to think it through. It involves playing on people’s emotions, like fear or excitement, alongside a sense of urgency.
Targeting New Employees
Cyber criminals also target newer employees with BEC scams. They’ve been with the company for less time, so they’re less aware of the usual workings and procedures. It’s important to ensure new staff are aware of normal processes, so they can identify when communication is out of the ordinary.
Requests for Sensitive Data
Scams could also focus on data theft, targeting HR or finance staff to request and steal sensitive information. Cyber criminals use this data to carry out future attacks.
Fake Invoices
BEC attacks can also employ fake invoices to trick people into making payments. They pretend to be vendors that work with your business, creating invoices that look the same with altered account details. This could go the other way as well, with cyber criminals compromising your business’ email account to conduct the scam and send fake invoices to clients and customers.
How to Spot This Scam and Protect Your Business
Keep an eye out for:
- Emails from unfamiliar addresses
- Emails claiming to be from the company’s CEO demanding unusual actions
- Language and phrasing that’s out of character for the sender
- Invoices that have been sent from unusual email addresses, or that suddenly use different account details
If in doubt, check the email address. If you’re still not sure, contact the person directly to follow up and verify their request. It’s also important to implement Cyber Awareness Training (like our CAT Training) so your team are aware of this threat and can spot it, and to implement clear processes.
How Our Team Can Help
Safeguarding your business against the risks of BEC is essential, and we’re here to help. Our easy to follow Cyber Awareness Training reduces human error, and we can also support you with robust Email Security services to proactively stop malicious emails reaching your team. If you’re interested in securing your business, contact us at connect@evernimble.com and we can get started.
