Protecting your business from email-based threats

Early in 2017, the FBI’s Internet Crime Complaint Center stated that “the BEC scam continues to grow, evolve, and target businesses of all sizes. Since January 2015, there has been a 1,300 per cent increase in identified exposed losses, now totalling over $3 billion.”

NAB Chief Information Security Officer Andrew Dell explains, “These scams are prevalent in Australia, however, there are some simple steps a SME can take to prevent being caught out”.

Types of business email compromise

These emails often appear to be from a senior executive, such as a company’s Chief Executive Officer or Chief Financial Officer, and request an urgent funds transfer be made. This false request, also known as ‘CEO Phishing’, is often sent from an email address very similar to the executive’s, but with a small variation to the address which is easy to miss. “These requests are normally sent to a small number of targeted recipients, meaning they are often missed by corporate email spam filters, which look for large volumes of identical messages”, says Dell. These emails can sometimes be sent from the victim’s real email address, if the criminal has obtained the credentials via malicious software or a phishing email.

In another scenario, a business may receive an email invoice from a supplier asking for payment. If the supplier’s email account has been compromised by a criminal, the email may be intercepted and the payment details on the invoice changed. Not realising the account has been compromised, the business sends the payment to the criminal rather than their legitimate supplier. Another variation is a request to cancel a recent payment, and make the payment to a new account.

How does it happen?

“Cyber criminals use company websites and LinkedIn to source organisational information, including employee names and titles, company structures, and job descriptions,” explains Dell. “They then use this information to craft convincing emails requesting payments”.

Setting up an auto-forward rule on your mailbox is another common tactic to make requests seem more legitimate, explains Dell. “If a criminal has your email credentials, they may set up a rule in your mailbox so all your emails are forwarded to their mailbox without your knowledge. This allows criminals to keep tabs on your business activity and spend time learning how you communicate, in terms of tone and types of requests.”

By studying your behaviour, criminals are able to mimic your requests, meaning their fake request won’t seem out of the ordinary. Dell says, “You can prevent this from happening by regularly changing your email passwords, periodically checking that no auto-forward rules are enabled in your mailbox, and using two-factor authentication for email and payments where possible”.

Raise awareness and trust your gut

Raising awareness of these types of scams with your employees is crucial. Many people might think it won’t happen to them, or that they would notice if something were amiss. Dell says, "Criminals rely on a tactic known as 'social engineering,'- they will often convey authority by impersonating someone senior in your business, or create panic by insisting a matter is urgent". But no one knows your colleagues, clients and suppliers better than you - so trust your gut. Dell says, "If an email doesn't sound right, for example, if someone is requesting something out of the blue, pressing you for urgent action, or their tone seems out of the ordinary - question it."

It’s important that your business has processes in place to verify payment requests or changes to payment details. This can be as simple as checking the requester’s email address carefully, and calling them to confirm the request before you action any payments or account detail changes (using contact details you have on file).

It’s especially important to do this if account details change, or if the payment appears out of the ordinary.

Dell continues, “If your business does receive a CEO phishing email or fake invoice, share it around with your colleagues to raise awareness of the issue. It allows employees to see real examples and know what to look out for in the future”.

CASE STUDY

The CEO of a large Australian company had his corporate email account compromised by criminals, who carefully researched the nature of requests normally made by the CEO. They sent a request to the company’s accounts department to transfer a large sum overseas. Shortly after actioning the transfer, the employee realised the request had been strangely written and called the CEO who confirmed he had not requested the transfer. The employee quickly called their banker who prevented the transfer from being processed.

Things to look out for:

• Requests for payment from a regular supplier to a new account

• Requests to transfer funds which bypass normal channels

• Urgent requests, or instructions to keep the transfer confidential/secret

• Emails from a slightly different email address, or emails with a different ‘reply to’ address

• Phrases like “kindly”, “code to admin expenses”, or “urgent wire transfer”

• If the email states the requester is having “phone issues”, and may not be contactable.

Example of a BEC scam email

From: Company CEO <company.ceo@example.com>

Sent: Wednesday, 5 October 2016 1:02 PM

To: Company CFO <company.cfo@example.com>

Subject: Request for 5th October 2016

Hi,

Are you at your desk? I need you to process an international wire transfer for me.

Kindly code it to “admin expenses” by COB today.

Thanks

Sent from my iPhone

Steps to protect your business

• Check any auto-forward rules on your email account –cyber criminals may intercept emails by forwarding them to a separate mailbox.

• Keep anti-virus software up to date on your computer

• Use strong passwords and two-factor authentication where possible (an extra layer of security using an additional authentication method e.g. a code sent by SMS)

• Confirm the transfer request with the requester over the phone, especially if the payment details change or if the request is out of the ordinary

• Be aware of how much information is posted on company websites and LinkedIn

For further information

Managing the threat of a cyber attack is a vital part of running any business in this new digital age. If you are looking for more information about how to protect your business from such threats, visit these sites:

• For easy to understand computer security advice for home use and SME business, visit staysmartonline.gov.au

• To see the latest scams, or to report a scam, visit scamwatch.gov.au

• The Australian Cybercrime Online Reporting Network (ACORN) is a secure reporting and referral service for cybercrime and online incidents that may be in breach of Australian law. Certain reports will be directed to Australian law enforcement and government agencies for further investigation. report.acorn.gov.au

Source : NAB February 2018 

Reproduced with permission of National Australia Bank (‘NAB’). This article was original published at https://www.nab.com.au/business/small-business/

National Australia Bank Limited. ABN 12 004 044 937 AFSL and Australian Credit Licence 230686. Any advice contained in this article has been prepared without taking into account your objectives, financial situation or needs. Before acting on any advice on this website, NAB recommends that you consider whether it is appropriate for your circumstances.

© 2018 National Australia Bank Limited ("NAB"). All rights reserved.

Important:
Any information provided by the author detailed above is separate and external to our business and our Licensee. Neither our business, nor our Licensee take any responsibility for any action or any service provided by the author.

Any links have been provided with permission for information purposes only and will take you to external websites, which are not connected to our company in any way. Note: Our company does not endorse and is not responsible for the accuracy of the contents/information contained within the linked site(s) accessible from this page. "