How to Avoid Business Email Compromise (BEC) Scams

Australia has seen a rise in business email scams recently. These are known as Business Email Compromise Scams (BEC). Find out here how to avoid them.

What is a Business Email Compromise scam?  

As business email compromise scams (BEC) become more common in Australia. These days you must be able to identify how cyber criminals use them to target your business.

A business email compromise is a type of online scam. It occurs when cyber criminals impersonate a business representative to trick you, a business owner, employee, vendor or customer into transferring money or sensitive information.  

The cyber criminals aim to impersonate a trusted contact through using a fake email address or domain that is almost identical to a trusted contact. This email address usually tries to impersonate a creditor or vendor you would normally do business with. The email sent by the cybercriminal could be a request for you to send an update of your bank details for their record or to pay an urgent invoice.  

Here are some official examples of the different type of known BEC scams as listed by the Australian Cyber Security Centre (ACSC) website.  

Executive fraud

The cybercriminal successfully masquerades an executive’s email address and then sends a message to staff in your business directing them to transfer funds to the scammer’s account. 

Legal impersonation

The cybercriminal masquerades as a lawyer or legal firm representative requesting payment for an urgent and sensitive matter. 

Invoice fraud 

The cybercriminal masquerades as a trusted supplier and sends a fake invoice to your business. In these scams, the cybercriminal often has control of the supplier’s email account and can access legitimate invoices. The cybercriminal changes these invoices to include new bank account details and then sends the invoices to customers from the supplier’s email account. 

Data theft

Instead of requesting funds, a cybercriminal may masquerade as a trusted person to request sensitive information.

Because these scams don’t use malicious links or attachments, they can get past anti-virus programs and spam filters. So your staff being able to identify these scams is important.

Get on demand legal advice for one low monthly fee.

Sign up to our Legal Advice Plan and access professional legal advice whenever you need it.

Get started

How do I prevent a business email compromise scam? 

Keep in mind, there are some simple techniques you and your staff can employ to keep your business safe.  

Educate your staff 

Teaching your staff to spot the warning signs of a BEC scam is vital. Consider the putting the following list up around the office to familiarise your staff with the warning signs:  

• Unexpected emails. For example, invoices from suppliers you haven’t dealt with before or known suppliers invoicing larger amounts than normal. Contacting the supplier to see if they are aware of this invoice via a trusted phone line is a good safeguard here.
• Any emails asking for urgent payments to be made immediately. They will usually threaten serious consequences if payment isn’t made. This is when staff should contact their superiors for an overview of the payment request.
• The email was sent from someone in a position of authority, particularly someone who wouldn’t normally send payment requests. If it’s sent from a trusted work authority contacting them is the smartest option to see if they are aware of making such a request.  
• The email address doesn’t look official. For example, the domain name doesn’t exactly match the supplier’s company name. Double-check by looking at previous correspondence and contact the supplier via a phone number on their website.  
• The supplier has provided new bank account details. It’s always good to contact said supplier to see if this change is legitimate. Although suppliers may change bank account details calling them and asking is a simple protection measure that is the most effective.  

Putting in place a process for invoice and payment approval is also a good idea. While it may slow productivity being on the safe side can save you from a BEC scam. This could include another set of eyes approving invoices or giving staff a point of contact when they spot these warning signs.  

Be careful with your information  

Informing all staff that the work email address should not be given to other websites is vital. This could be a way scammer can get your email address to target or use as a tool for BEC content. Workers in the finance department should be particularly careful of giving email credentials to third party sites.  

Using two factor authentications  

Scammers will sometimes try to access your email address so they can use it for a BEC scam. A two-factor authentication system in place can prevent scammers from using your email for BEC content. A two factor authentication works to protect your identity and makes sure its you accessing your account. This also alerts you when someone else is trying to access your account on a separate device.

Further recommendations from the ACSC 

Implementing a Sender Policy Framework (SPF) and Domain Message Authentication Reporting and Conformance (DMARC). These are tools that will prevent others from replicating your domain and will help you identify when you have received BEC content. If you manage your own server. This is something you should bring up with your IT team to make sure these safeguards are in place. 

The ACSC has set guidelines and security controls for preventing malicious attacks on your businesses network particularly for finance, human resources and senior executive teams. If you’ve been a victim of a BEC scam make sure to report it to the Australian Cybercrime Online Reporting Network.

Don’t know where to start? Contact us on 1800 529 728 to learn more about customising legal documents and obtaining a fixed-fee quote from Australia’s largest lawyer marketplace.