Resources

Business Email Compromise (BEC) scams are a serious problem for Australian businesses.

In the year 2023/24, Australian businesses lost AUD $84 million to these attacks, with an average loss of $55,000 per business. That’s a big jump from the $39,000 average of the year before.

This makes BEC scams one of the top three self-reported cybercrime types for Australian businesses. In fact, it represents 33% of all incidents, 13% of which result in financial loss.

All this leaves us with a few questions to tackle. What exactly are BEC scams? How do they work, and what steps can you take to protect your business from these attacks? In this post, we’ll answer all three.

How do BEC scams work?

Business Email Compromise (BEC) is also sometimes known as Email Account Compromise (EAC). 

It’s a type of cyberattack where criminals send emails that are designed to look professional and from a legitimate source, making a request that seems to be valid and trustworthy. 

Let’s take a look at a few scenarios:

• Criminals pose as a vendor or customer requesting payment for an outstanding invoice or asking to direct future payments to a new (fraudulent) bank account. This is what happened when Quanta Computer stole more than USD 100 million from Facebook and Google.

• Scammers make an urgent request, impersonating a supervisor or CEO. They might ask for a wire transfer to a fake account or the purchase of something like gift cards. This type of scam usually relies on a strong sense of urgency, or when the impersonated person is known to be out of office.

• Attackers contact Human Resources or finance staff to steal Personally Identifiable Information (PII) or other sensitive data like W-2 forms, customer databases, intellectual property, or corporate financials. They then use this data for identity theft or to set up future crimes.

• Scammers pose as the purchasing departments of a known, established vendor, and negotiate large purchases (on credit) for things like computer hardware or construction materials. The company ships the order, but the payment never arrives.

How to reduce your risk of BEC attacks

Defending your people and assets from BEC attacks involves a multi-pronged approach. There’s no quick fix here, but here are the main steps you’ll want to take.

• Implement Multi-Factor Authentication across all your accounts, especially email and critical systems. Find and disable any legacy protocols like IMAP, POP3, and SMTP that can be exploited to bypass MFA.

• Train your teams to recognise BEC scams and take the right steps to avoid them. Generic, annual training isn’t enough here; you’ll need to set up training that’s personalised to specific employee roles and vulnerabilities, visibly supported by senior leadership, and reinforced every few months.

• Make sure your Email Authentication Protocols are extremely strong. This means proper configuration and enforcement of SDP, DKIM, and DMARC records so that only legitimate senders can use your domain.

• Have incident response plans in place, and make sure everyone on your teams knows their specific role. Test your plans via drills and simulations on a regular basis, and involve everyone.

• Stay informed by looking at resources from the ACSC and other reputable sources. BEC (and other cyber threats) change fast, so you need to stay up to date on how tactics and methods evolve.

At Aryon, we can help you prepare for and protect yourself from BEC scams. These attacks change constantly, and keeping up can feel like a full-time job. Let the experts take care of your defences while you focus on running your business.

Get in touch with us to learn more.