How to Address Business Email Compromise

Written by Mark Howarth, Founder- PhishNet

As a multi-billion dollar entity, cybercrime is an all-present risk to the security of businesses. In a recent report by the Australian Cyber Security Centre, email compromise, business email compromise fraud, and online banking fraud rank among the top three cyber crimes against businesses in Australia. Because of these cyber crimes, SME losses average $46,000-$97,000 annually. 

As cyber threats persist, businesses must strengthen their defences against Business Email Compromise.

Businesses Recognising Email Compromise

Recognising email compromise safeguards sensitive information and maintains communication channels. Indicators of a compromised email account include:

• Unexpected changes in email settings
• Unknown emails in the Sent folder
• Reports of suspicious activity from contacts

If something is amiss, take immediate action to limit the potential damage. Solutions involve enabling multi-factor authentication and informing relevant personnel. Reporting email compromise incidents can prevent further breaches from similar attacks.

Because cyber security threats evolve rapidly, employees must be ready to handle email compromise in all its forms. There are many kinds of email compromise, but the most common is Business Email Compromise (BEC).

Understanding Business Email Compromise

Some may call this cybercrime a “man-in-the-email attack.” Instead of employing a tactic to deceive a broad audience, this attack targets an individual. This type of cybercrime involves unauthorised access to a business email account. 

A BEC attack hinges on the email account’s ability to appear authoritative or as a trusted external partner. A standard BEC attack tries to convince the target they are performing an authorised business transaction. Anyone can be the target, but it’s most often:

• Executives and leaders: The information about them is accessible to the public, enabling attackers to feign familiarity with them.

• HR managers: The targets have identifiable information such as tax documents, contact information, and work schedules.”

• Entry-level employees: People who cannot authenticate an email’s legitimacy.

Common BEC Fraud Tactics

BEC fraud usually involves social engineering to gain access to sensitive information. The scam can devastate businesses, leading to financial losses, reputational damage, and legal consequences. In December 2022, an international email “CEO fraud” syndicate targeted a Paris real estate developer, Sefri-Cime. 

The group successfully embezzled €38 million through a single BEC scam using bank accounts in China and Israel. Yet, the scope of these crimes grows every day. Another attack happened from January 2020 to March 2023. 

Authorities say cybercriminals established over 80 bank accounts using stolen identities to move stolen funds out of Australia. In March 2023, AFP apprehended four members of the BEC group. The group conducted over 15 advanced cybercrime attacks.

The group laundered over $1.7 million from BEC attacks. On average, individual losses varied from $2500 to nearly $500,000.

How to Improve Cyber Security

The impact of BEC attacks forces organisations to consider enhancing cyber security within their ranks. Ideally, these efforts should focus on educating employees about email security best practices. Education involves training them to identify and respond appropriately to potential threats.

Cyber Security Training Importance

Cyber security training for employees educates them about identifying potential risks to reduce security breaches. With the increasing frequency of attacks, a well-trained workforce in cyber security offers numerous advantages:

• It enhances the overall security posture of an organisation
• Training informs employees about criminal tactics such as cyber baiting 
• Training builds a more vigilant and informed workforce

Online cyber security online training provides flexibility, allowing employees to upskill without significant disruptions to their daily responsibilities. 

Cyber Security Awareness Training

Businesses need cyber security awareness training options tailored to their specific needs. These options include general and industry-specific programs to address their cyber threat situation. When selecting a training program, businesses should prioritise aligning with compliance standards.

Key features to consider in cyber security training programs include:

• Relevant modules reflecting current cyber threats
• Cyber behavioural assessments
• Threat simulations

Organisations that retain sensitive customer records or operate critical infrastructure are primary targets. While every business faces the risk, criminals target healthcare, finance, and education more frequently. 

Final Thoughts

Investing in cyber security training combats business email compromise and arms them with powerful strategies. Reducing the devastating effects of data breaches defends an organisation’s reputation and financial status. Moreover, a culture of vigilance and accountability enhances the company’s security posture.

PhishNet trains people to recognise everyday scams and cyber threats through our Cyber Security Awareness Training platform. With clear measurable results, orgnaisations can meet compliance requirements and proactively reduce the risk of cyber incidents. Talk to us about how awareness training can help protect your people and business.