Business email compromise: how to protect your organisation

There would be very few people who haven’t heard about the millions of dollars lost each year as a result of online romance or phishing scams. Less known however, are the scams involving business email accounts being hacked. According to the Australian Competition and Consumer Commission’s report: Small business in focus, in the first six months of 2019, $5.4 million was lost to business email compromise (BEC), a 42 per cent increase over total BEC losses in 2018.

There are a number of different types of BEC scams. One involves a hacker gaining access to a business email account, intercepting emails and changing the banking details of any invoices so that payment goes to the hacker’s account. The business usually doesn’t discover what’s happened until the supplier contacts them about their unpaid invoice.

This is what happened to Duncan Perkins, owner of Tax Time Accountants, who was defrauded of $10,000 he thought he sent to one of his clients. It was only after the client asked why he hadn’t yet been paid that Perkins started investigating.

“I initially thought I’d made an error but I soon uncovered that fraud had occurred,” he says. “None of the banks involved were interested in helping me work out what had happened but finally a call to Microsoft revealed a hacker had introduced a hidden rule into my email program so that any email that came through with words such as ‘payment, transfer, BSB or deposit’ would be diverted to the hacker’s email inbox.”

In this instance, the hacker changed the BSB and account number of the account to which Perkins was sending the money to that of another account and despite Perkins alerting the receiving bank of what had happened, he was told the bank wouldn’t investigate due to privacy regulations contained in the Privacy Act.

“The response I got from my bank was that as I made the error nothing more could be done,” he says. “The receiving bank said as I wasn’t a customer of theirs they weren’t prepared to do anything and that the Privacy Act prevented them from contacting the owner of the account my funds went to – even though it was clearly fraudulent.”

Perkins also contacted the industry bodies set up to monitor scams but they were equally unforthcoming with any help.

“My grievance is that if a bank accidentally transferred money to someone’s account and that account owner spent the money, the bank would pursue that person to the nth degree, including pressing criminal charges,” he says. “But if it’s a customer or a customer of another bank, they protect the fraudster by hiding behind the Privacy Act. I recognise that I made the error and have lost my money but what I do mind is that no one is looking into it.”

Perkins says the Banking Code of Practice states that banks will do their very best to work together to stop fraud. “They have contravened this code and if the banks had followed their code, a system would have been created earlier to stop this type of fraud,” he says. “This is a very dangerous type of ‘sleeping dog’ fraud as these rules can sit in your email for months before the hacker takes any action.”

These types of attacks are on the rise as more small businesses move to cloud-based services, such as Office 365 and Google’s G Suite and email addresses can be accessed from anywhere with just an internet connection and single log-in portal.

Another type of BEC is the “social engineering hack”, with law firms just one profession being targeted. In a typical example, hackers pose as potential clients over the phone and show an interest in using a law firm’s services. Following the call, these “potential clients” send the lawyer an email that contains documentation about their situation. The lawyer has to enter their email log-in and password to access the files, but this action takes them to a fake website from which the hacker gains access to the lawyer’s credentials and subsequently their email account, which is then used to conduct fraudulent transactions.

Guarding against BEC attacks

Being aware that these type of BEC attacks exist is the first line of defence. Things to watch out for in particular include:

  • emails requesting a password or bank account details to be updated. If you do get an email like this, conduct a web search using some of the phrases directly copied from the body of the email to see if they suggest they may come from a phishing email scam
  • making sure any site you are updating with your credentials is the correct one and that strong encryption is being used on that site.

One of the most reliable security features to prevent hackers logging into an email account is Multi-Factor Authentication (MFA) as it requires a user to present more than one type of credential to the system in order to be successfully authenticated.

The most common MFA systems are a combination of a usual password and a One Time Password (OTP), with the OTP generally generated using a token or received through a mobile phone via a text message. The OTP is usually only valid for a short period of time, thus hindering a hacker from gaining access to a compromised account.

Email filtering systems are another useful solution. While they don’t tend to pick up a large number of emails related to BEC attacks they are still beneficial.

What action you can take

Some of the actions you can take to prevent accidentally sending funds to a hacker include:

  • confirm any change-in-payment instructions by phone using an independent phone number and not one provided in the email
  • maintain a file of contacts of employees who have the authority to approve changes in payment instructions
  • limit the number of employees who have the authority to conduct and/or approve online payments
  • request dual approval for large sums or for any new business relationship.
Chris Baskerville, Jirsch Sutherland Partner
Chris Baskerville, Jirsch Sutherland Partner

Jirsch Sutherland Partner Chris Baskerville says an issue with the BEC scams is that banks only require two pieces of information to make a money transfer: the BSB and account number.

“The UK has legislated so that now banks require a third piece of identification – the correct account name ­– to verify transfers,” he says. “If they don’t get this exactly right the transfer is refused. If Australian banks followed this protocol, this type of fraud would be wiped out tomorrow.”

Baskerville adds that banks are pushing back against adopting this strategy, which he believes is partly because they expect there will be too many errors made, causing transfers to be refused. “But in the long term, people will learn to input the information correctly,” he says. “Bank are also unlikely to want to spend the money required to implement new systems that allow for accepting account names. But while they keep pushing back, the incidence of fraud continues to rise. Unfortunately, no one wants to take responsibility.”

Jirsch Sutherland