Business email compromise (BEC) is a type of cybercrime that involves targeting companies and organisations of all sizes, from small startups to large corporations, through their email systems. BEC scams are increasingly common and can result in significant financial losses for businesses, as well as damage to their reputations.

In the most recent report published in November 2022 by the Australian Cyber Security Centre (ACSC), in the 2021-2022 financial year, the ACSC received over 76,000 cybercrime reports. This equates to one cyber incident report every seven minutes (or over 200 reports a day).  Given that reporting a cyber incident to the ACSC is voluntary, it is likely that the true number of cyber incidents in Australia is significantly higher than those reported.  In monetary terms, the ACCC’s Targeting Scams Report 2022, states that Australian businesses were scammed out of $277 million in “payment redirection” cons through BECs over the course of 2021.

Email remains the number one way to attack businesses, particularly with the increased demand for hybrid and remote working, making employees vulnerable.  It is therefore crucial to position yourself with the knowledge and skills that can help to prevent a BEC event from happening to your business.

What is BEC?

BEC is a type of cybercrime where the scammer gains access to an employee’s email account through a phishing attack or other means of hacking.  Once they have access, they can monitor the employee’s email traffic and use this information to send fraudulent emails that appear to come from the company’s executives or other high-level employees or from a law firm, bank, internet provider or other supplier used by the business.  These emails often request the recipient to transfer funds, change account details, or share sensitive information. They may also contain malware or other malicious code that can infect the recipient’s computer or network.

How does a BEC attack work?

Scammers either gain unauthorised access to a legitimate email account from which they send an email, or they send it from an email address which looks like a legitimate email account, known to you or your employees, but which contains a small change (i.e. the email address is off by a letter or two or it might be the correct email address but via a different domain).  This is done in the hope that the email address mismatch is not noticed by the recipient.

The email usually contains a request for urgent payment or sensitive information.  The attacker may also use social engineering techniques, such as pretexting, to convince the victim to comply with their request.

Once the victim has been duped into making a payment or providing sensitive information, the attacker may use this information to perpetrate further fraud or sell the data on the dark web. In some cases, the attacker may use the compromised email account to send additional fraudulent emails to other employees, spreading the attack throughout the organisation.

Types of BEC attacks

There are several types of BEC attacks, each with its own modus operandi. Some common types of BEC attacks include:

CEO Fraud: In this type of attack, the attacker impersonates the CEO or other high-ranking executive and sends an email requesting an urgent payment or transfer of funds.

Invoice Fraud: The attacker sends a fraudulent invoice, posing as a supplier or vendor, requesting payment for goods or services.

Lawyer Impersonation: The attacker poses as a lawyer or legal representative and requests confidential information or payment for legal fees.

Account Compromise: The attacker gains access to an employee’s email account and uses it to send fraudulent emails to other employees or to request sensitive information.

Next Week

In next week’s blog post we will continue the discussion on BECs, including the potential risks that a BEC attack poses to your business and how to lower the risk of a BEC attack occurring.