Home How We Help Be more efficient Work Smarter Cyber scams: don’t compromise your business

Work Smarter

Cyber scams: don’t compromise your business

Business Email Compromise (BEC) is one of several cybercrimes on the rise so it's important to understand what it entails and how it can impact your business.

Jenny Dikranian

Content Writer, My Business

Essentially, it’s a form of scam that targets all businesses. The way BEC works is by impersonation. Cybercriminals will use similar names, domains or false logos of genuine businesses or business representatives to impersonate them. They can also compromise email accounts pretending to be a co-worker or a person of power in your business. And it’s all aimed at scamming money or luxury goods from unsuspecting victims.

Business Email Compromise in Australia

The Australian Federal Police urges businesses to take the threat of BEC seriously. In the 12 months to July 2021, the financial implications of BEC were staggering with more than $79 million lost. More than 3,300 incidents of BEC were reported via the Australian Cyber Security Centre’s report portal, with nearly half of those scams resulting in financial loss. Australian businesses and individuals need to understand the threat is real.

False representation

Fraudulent invoices are a common BEC scam. Scammers gain access to a vendor’s email account and legitimate invoices. They modify contact and bank details and send to unsuspecting customers via the compromised email account. Customers of the genuine business that pay the false invoices are in reality depositing money into the cybercriminal’s account.

Impersonation can also take place in the form of an employee or business. Employee impersonation is when a cybercriminal compromises a business email account and impersonates a co-worker via email. Quite often the scammer will impersonate a leader such as a CEO or CFO and the request will be marked as requiring ‘urgent attention’ or being a ‘confidential matter’. In the eyes of the recipient, because it genuinely looks to be from a senior manager there is a sense to action immediately. This form of scam leads to financial loss.

Business impersonation is when cybercriminals register a domain with a similar name of a well-known and trusted business and then proceed to impersonate the business by sending an email to a vendor. Often the request will be for a quote to acquire expensive or luxury goods. The scammers agree to the purchase on the condition they can make payment once delivery is received. The goods are delivered to a location the scammers nominate however the invoice is issued to the real business the scammers are impersonating.

How this business was cyber scammed

You wouldn’t think an Australian cargo and logistics operator with more than 30 years in the game and an annual sales turnover of $20 million would be a victim of BEC. Realistically any business can be targeted. Let’s look at how this unfolded.

An email was sent to accounts payable that appeared to be from their shipping line agent based in Spain, requesting bank account details to be updated.
The logistics operator sent an email to their shipping line contacts to verify the request. The email was sent to three recipients – two were no longer at the company and the third didn’t feel it was their responsibility to respond and ignored the email.
A second email was sent by the scammers five business days after the original email requesting bank details be updated. This email asked for payment and included a copy of what looked like a legitimate statement.
The logistics operator paid 15,000 euros.
As soon as payment was made the scammers sent another email once again saying bank account details were changing and requested the details be updated. The email also contained an attachment of an updated statement.
Alarm bells were raised. Given the 10-hour time difference between Australia and Spain the call was made at 10 pm Australian time to verify the authenticity of the request.
The shipping agent confirmed there had been no bank account changes.
The logistics operator is attempting to claim the funds paid to the scammers from their agent as they believe duty of care was not exercised.

A spokesperson said: “If I didn’t experience what had happened, I would not have believed for one second it could actually happen. You simply can’t trust an email. We have learnt the hard way that verification is important. Verification from the true supplier is a must”.

The business has now introduced a policy whereby verbal verification is required for any correspondence relating to new bank account details.

Train for vigilance

So, what can you do to be vigilant? How can you stay one step ahead of BEC? Giving your employees the tools to be cyber aware is your best defence. Training, ongoing learning and keeping up to date with cyber related topics are essential. And the key take-away here is don’t accept things at face value. Pick up the phone and get verification.