Businesses may have become savvy to the standard phishing scam that impersonates the tax office or a government regulator, but new figures released by the Australian Criminal Intelligence Commission have revealed a craftier type of attack is on the rise in Australia.
Known as “Business Email Compromise” (BEC), this type of fraudulent email is highly engineered and researched by the attackers, who pretend to be high profile or trusted individuals within organisations in order to trick bill payers into wiring vast amounts of money straight to the attacker’s bank account.
These attacks have been popular in the US for some time, known colloquially as “CEO scams” due to the regularity of which they impersonate chief executives. The Federal Bureau of Investigation in the US estimated these attacks to cost businesses more than $2.8 billion globally between 2014-2016.
The Australian Criminal Intelligence Commission’s (ACIC) recent report into organised crime revealed 749 cases of BEC scams were reported in 2015-16 in Australia, with 243 cases emerging in just the first quarter of 2016-17.
“BEC can take many forms but most commonly involves impersonating a high-level employee in order to change invoice details or request immediate funds transfers. BEC requires few technical skills; most effort is spent on social engineering and research on targets,” ACIC said in the report.
Australia and New Zealand managing director of cybersecurity firm Proofpoint, Tim Bentley, tells SmartCompany BEC scams can be many times more devastating than typical phishing attacks, because the monetary amounts secured by scammers tend to be much higher.
“These scams will usually come in a clever guise thanks to a lot of background information collected by the attacker, usually via LinkedIn. They could pretend to be an existing supplier, or a trusted person with authority in the organisation,” Bentley says.
While the world has been rocked in recent months by high profile ransomware attacks such as WannaCry and Petya, Bentley says the monetary amount gained by BEC attackers “dwarfs any other type of cyber attack”.
“Something like a credit card scam or a ransomware attack might mean $10,000, or a couple of bitcoins,” he says.
“BEC attacks mean huge sums which can undermine a smaller company and significantly rock a larger ones. The attackers go for as much as they can, and even tech savvy companies such as Facebook and Google have been taken for more than $100 million over the last two years.”
The FBI estimated last year companies were losing approximately $160,000 on average to BEC scams, and Bentley says he’s seen sums of around $20-50,000 be more common for Australian SMEs that have been affected.
Businesses looking to protect themselves from this type of email compromise scam are left high and dry by typical solutions such as antivirus software and email spam filters. Bentley suggests business owners should make a concerted effort to educate staff instead.
“I would take anyone who can pay a bill and put them through some basic training on this. It’s very easy to pretend to be someone else over email,” he says.
“If they’re in any doubt, they should make a phone call or get a second opinion from someone else in the office. Make sure they call via a trusted and saved phone number, not through a number provided on the email address.”
“Also don’t list your employees on LinkedIn as being in accounts payable, just say they’re in finance, otherwise you’ll make it easy for criminals.”
If a business does find themselves having accidentally wired money to a cyber criminal, Bentley says it’s important to act quickly in order to stop the money before it transfers. However, an incoming real time payments overhaul in October could leave businesses with no time to act, with Bentley believing the change will mean Australia could be more heavily targeted by cyber criminals.
“These changed will make us even more attractive to BEC cyber criminals, and we’re already one of the most trusting nations on earth.”
“We’re going to see this increase, the ACIC numbers are just the tip of the iceberg.”