Warnings from Scamwatch are warning businesses that Hackers are targeting businesses emails in a series of sophisticated scams.
Scamwatch is calling on businesses to urgently review how they verify and pay accounts and invoices as reports of business email compromise (BEC) scams to Scamwatch have grown by a third this year.
Business Email Compromise (BEC) is a type of scam targeting companies who conduct wire transfers and have suppliers abroad. Corporate or publicly available email accounts of executives or high-level employees related to finance or involved with wire transfer payments are either spoofed or compromised through keyloggers or phishing attacks to do fraudulent transfers, resulting in hundreds of thousands of dollars in losses.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC Deputy Chair Delia Rickard said.
BEC scams occur when a hacker gains access to a business’s email accounts, or ‘spoof’ a business’s email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of a business’s official email accounts. Payments then start to flow into the hacker’s account.
Formerly dubbed as Man-in-the-Email scams, BEC attackers rely heavily on social engineering tactics to trick unsuspecting employees and executives. Often, they impersonate CEO or any executive authorised to do wire transfers. In addition, fraudsters also carefully research and closely monitor their potential target victims and their organisations.
Some of the sample email messages have subjects containing words such as request, payment, transfer, and urgent, among others. Based on FBI scam alerts, there are 5 types of BEC scams:
1. The Bogus Invoice Scheme- Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
2. CEO Fraud– Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
3. Account Compromise-An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
4. Attorney Impersonation– Attackers pretend to be a lawyer or someone from the law firm supposedly in charge of crucial and confidential matters. Normally, such bogus requests are done through email or phone, and during the end of the business day.
5. Data Theft – Employees under HR and bookkeeping are targeted to obtain personally identifiable information (PII) or tax statements of employees and executives. Such data can be used for future attacks.
Scamwatch has even received reports of the hackers intercepting house deposits that have been sent to conveyancers, real estate agents or law firms.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business, however the largest amount of reports and losses came from medium sized businesses, including one that lost more than $300,000,” Ms Rickard added.
Businesses have reported losses to these scams totalling $2.8 million to Scamwatch in 2018. However, this represents only a fraction of total losses to this variety of scam across Australia. BEC scams cause businesses significant financial harm, accounting for 63 per cent of all business losses reported to Scamwatch. The average loss is nearly $30,000.
Founder of Cryptoloc Technology, Jamie Wilson, said “effective management procedures can go a long way towards preventing scams, so all businesses should firstly be aware these scams exist and that their staff know about them too. Businesses should look to invest in an encrypted platform such as Your Digital File or integrate API Secure2client to ensure the secure sharing of information to third parties. Organisations who are still using unsecured email to send personalised or sensitive data are putting their customers and their business at risk.”
“Taking the normal steps to prevent an attack are important but at the end of the day, cyber attacks are getting smarter. So organisations need to encrypt data at rest and in transit to ensure not matter when or how they are hacked, the information is secured.”
“Ensuring that all third party communications via email are done securely and most importantly any banking instructions should be encrypted’, added Mr Wilson.
Businesses affected by BEC scams should contact their financial institution immediately and consider professional IT advice to ensure their email systems and data are secure from hackers.
Businesses can subscribe to @scamwatch_gov (link is external) on Twitter and Scamwatch radar alerts to keep up to date with the latest scams affecting the business community.
To find out more about Secure2Client the API available on AWS Marketplace please read more here: http://aws.amazon.com/marketplace/pp/B07JW7ZCLW
For individuals and small businesses see www.yourdigitalfile.com