Australia’s competition watchdog has warned SMEs to “urgently” review their security and pay systems after one business reported a $300,000 loss to hackers who impersonated staff members at the business.
The scam, known commonly as ‘business email compromise’ (BEC), involves a hacker or cyber crook gaining access to the business email of someone working at an SME, usually either an executive or a staff member working in payroll.
The hacker usually then tells suppliers and customers the business’ bank details have changed, providing them new offshore account details to pay into, resulting in the business’ payments flowing into that account.
Alternatively, the criminal can also use the email account to ask financial staff to pay urgent invoices, again using bank account details which differ to the ones usually used by the business.
The Australian Competition and Consumer Commission’s (ACCC) Scamwatch division has revealed counts of such BEC scams have increased by a third in 2018, with over $2.8 million being siphoned away from Australia’s small and medium businesses.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC deputy chair Delia Rickard said in a statement.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business, however, the largest number of reports and losses came from medium-sized businesses, including one that lost more than $300,000.”
While BEC scams have been an ever-present threat to businesses across the world, SMEs are often warned about more common scam variants such as phishing attacks or classic virus-centric malware attacks.
However, senior manager at web security business HackLabs Michael McKinnon tells SmartCompany BEC is increasing in prevalence due to both its success and ease of execution.
McKinnon says he’s seen clients who have been defrauded out of six-figure invoices due to BEC attacks, and warns once hackers know a business is an easy target, they’ll keep on trying.
“Once they’ve successfully attacked and gotten money from the business, these crooks will put those businesses on a sort of ‘VIP list’, and continue to attack them even harder,” he says.
“Businesses need to avoid this happening to them at all costs, because once it does they’ll be back again for a second and third payday.”
Reports to Scamwatch show BEC-style scams are responsible for 63% of all businesses losses reported to the ACCC over the past year, with the average loss amount being $30,000.
For SMEs running on razor-thin margins, a BEC attack can not only mean money down the drain but also a potential end to the business. McKinnon also warns hackers with access to an email account can easily reset passwords for any other accounts using the email, opening the gate for further potential compromise.
Unfortunately for business owners, it’s much harder to protect yourself from BEC compared to other scam variants, as spoof emails can come from anywhere — even external to the business. McKinnon advises business owners to enable two-factor authentication on their accounts wherever they can, along with implementing training regimes for staff around the risks.
“Security awareness training is very important, so talk to all of your staff and warn them to be extra mindful around this type of attack,” he says.
The ACCC advises businesses consider a “multi-person approval process for transactions over a certain dollar threshold and keep IT security up-to-date with anti-virus and anti-spyware software and a good firewall”.