Business Email Compromise Scams: Why They're Rising

This article explains why business email compromise scams rose during the pandemic, how fraudsters exploit remote working and weak internal controls, and why small businesses are especially exposed. It also shows why a proper response needs more than an IT fix, including a forensic investigation, a fraud risk review, and employee education.

Business Email Compromise Scams: Why They're Rising

Summary

This article explains why business email compromise scams increased during the pandemic, how scammers use social engineering and weak controls, and why businesses need both IT support and a thorough forensic response.

Key takeaways

Why BEC scams are rising

The pandemic has accelerated the digitisation of Australian businesses as organisations move their entire staff to remote working, say goodbye to paper printouts, and embrace video conferencing tools. With the increasing reliance on working remotely and utilising digital technologies comes a greater risk of businesses being exposed to cyber fraud.

Australians lost $77 million to scams in the first six months of 2020 alone as fraudsters took advantage of COVID-19, businesses lacking in proper IT security, social isolation and millions of employees working from home. This is up $19 million compared with the same period in 2019.

As the pandemic continues to change our day-to-day lives, Core Integrity has seen organisations of all sizes, across a wide range of industries, experience increased rates of both internal and external fraud. In one instance, we even saw an Australian organisation experience at least one false billing scam attempt per week on a shared finance email account.

Small businesses are especially at risk as they often have inadequate cyber and information security protocols, low to no internal controls, no segregation of finance function duties, and a lack of employee training and awareness. According to CSO Australia, small businesses lost 42% more to business email compromise (BEC) scams in the first half of 2019 compared with the same period in 2018. This is just the tip of the iceberg as many scams and information security breaches go unnoticed or are not reported. We expect these figures to jump considerably when reporting is compiled in early 2021.

Current high-risk scams involve cyber criminals targeting businesses via sophisticated email compromise where they purport to be from a legitimate entity. The scammers then request the recipient to follow a link to reset a password, access an online file or track a postal shipment. These scams are easy entry points for cyber criminals with the objective of gaining access to the employee's email account to watch their behaviour and strike at a moment of vulnerability.

Business email compromise scams rely heavily on human error achieved through social engineering and targeted phishing attacks. We often see fraudsters intercept legitimate invoices and change the payment details, redirecting funds to their own accounts. Unsuspecting employees and businesses with unsophisticated internal controls are unaware their system has been compromised or that the cyber criminals are 'living' in their inbox.

Once a scammer has access to one account within an organisation, there is an increased risk the organisation's network will be compromised further. In this scenario, the criminal can assume multiple identities within an organisation to perpetrate sophisticated fraud events.

Core Integrity has seen a sharp increase in small to medium enterprises being targeted in this fashion. While the first port of call for affected businesses is their internal or external IT provider, these providers can often lack the requisite skills to conduct a thorough forensic investigation to get to the bottom of the issue.

Regardless of your size or industry, no business is safe from cyber fraud. We have worked with clients with only two employees who have lost hundreds of thousands of dollars all the way through to government departments that have been exposed to sophisticated scams.

Key insights for business owners and executives

We've developed some key insights business owners and executives should be aware of when it comes to cyber fraud and BEC events:

  1. Organisations with multiple offices or disparate locations are at higher risk, providing an opportunity for fraudsters to skilfully impersonate fellow employees. Emails received from a scammer purporting to be a fellow employee cannot be easily verified due to distance between offices or locations combined with poor internal processes. Risks have been heightened this year with most organisations moving a large percentage of their business to remote working and increased reliance on digital communication.
  2. Businesses in the construction industry are at especially high risk due to the volume of invoices distributed involving large sums of money. Combined with poor internal controls, the industry is placed at heightened risk. Sub-contractors are at even greater risk as they are often sole traders with no formal security protocols in place.
  3. The most common response when an organisation experiences a BEC attack is to contact their internal or external IT providers with a key focus on their security systems. This may involve forced password resets and updating or changing software. However, false billing and BEC scams rely on human error and a lack of internal processes to be successful, so this one-dimensional response may leave the organisation vulnerable to further attacks. It is vital that a thorough forensic investigation is conducted to determine how the fraud was perpetrated, which employees were impacted, and the processes that led to the compromise. Part of the solution is to make IT security enhancements. However, this needs to be supported with a more thorough fraud risk response.
  4. Once the compromise has been investigated, it is recommended that the impacted organisation undertake a comprehensive fraud risk review. Assessing the business's threat environment, the risks to that business and its industry, and the controls in place to prevent or mitigate further incidents is pivotal. This process is often eye-opening for business leaders and highlights the vulnerabilities within the business.
  5. While often considered an expensive initiative, employee education is key to reducing your organisation's ongoing risk of cyber fraud or attacks. If every employee is educated to understand existing scams, how the scams are perpetrated and the controls in place to prevent or minimise the scams from occurring, then your team can go a long way towards protecting your business.

What to do after a BEC event

If your business experiences a cyber fraud event, take a moment to get the right advice about how your organisation will respond. Engage an experienced forensic investigation team who will coordinate your response and work closely with your internal or external IT team.

When it comes to the constantly evolving world of fraud and cyber risks to your business, the key is to be on the front foot. Core Integrity works with clients at every stage of the integrity life-cycle to conduct fraud risk assessments and help organisations prevent and minimise the impact that internal and external cyber fraud can have on their business.

FAQ

What is a business email compromise scam?

It is a scam where cyber criminals target businesses through email compromise, often by pretending to be a legitimate entity and trying to gain access to an employee's account.

Why are small businesses at higher risk?

Small businesses often have weaker cyber and information security protocols, low to no internal controls, no segregation of finance duties, and less training and awareness.

Is an IT response enough after a BEC attack?

No, an IT response is only part of the solution. Businesses also need a thorough forensic investigation and a broader fraud risk response.

Why does employee education matter?

Employee education helps people understand how scams are perpetrated and what controls are in place, which reduces the organisation's ongoing risk of cyber fraud.