Business Email Compromise: The scam duping businesses across the world
Businesses across the world are being bombarded by a range of cyber scams, with one of the most prevalent being Business Email Compromise (BEC), also known as ‘CEO Fraud’. Between October 2013 and May 2018, more than $12 billion in domestic and international losses were attributed by the FBI to BEC scams.
It has been found that an average of five BEC scam emails has been received by businesses in the last 12 months; a 17 % chance of receiving at least one BEC email per month. In the previous 12 months, an organisation would have received an average of four BEC emails per month.
So, what should your organisation be doing to minimise this and other cyber-related risks?
What is BEC?
BEC scams generally occur when a hacker gains access to a business or a business’ supplier’s email account and mimics a legitimate email address using a domain similar to the targeted business’ actual domain. The cybercriminal then sends a fraudulent email impersonating the CEO or CFO of their target, usually to someone in the finance department who manages money or another senior staff member, instructing that an amount of money needs to be urgently transferred to a nominated bank account. Often, emails will purport to be from a supplier requesting a change to its bank account number and instructing that any future invoices should be paid into the new account. A range of apparently justifiable reasons may be given for the change, but if accepted, payments will then start to be paid into the cybercriminals' bank account. Often, the cybercriminal and associated bank accounts are based in foreign jurisdictions and this makes it difficult to track and recover lost monies.
According to the ACCC, reports of BEC scams increased by a third from 2017 to 2018 and Australian small businesses have lost 42% more to BEC in the first half of 2019 than all of 2018.
The top three of the top 10 regions targeted by BEC scammers in the last 12 months are the United States (39%), United Kingdom (26%) and Australia (11%) – (refer to Figure 1 below).
Figure 1 – Top 10 BEC victim regions, July 2018 – June 2019
Given the relative size of the Australian business market to that of the US and UK, it appears Australia is fertile ground for exploitation.
Why does it work?
BEC email scams play on a range of basic human traits, including our instinct to trust. The cybercriminal identifies and targets specific employees in an organisation who has the authority to make payments. At first glance, the email received by this person looks similar to a legitimate email from a senior executive or a senior supplier representative. This creates an obligation on the part of the receiver to comply. When combined with a general unwillingness to question the boss and a sense of urgency created by the use of words such as ‘IMPORTANT’ and ‘URGENT’, it is no wonder the scam has a reasonable chance of success.
What does this mean for business?
It appears that employees are unlikely to be liable for losses incurred due to making a payment to a cybercriminal particularly if they acted in good faith and in the belief that they were following a lawful instruction from someone in authority. The fact that they failed to question a payment request may also be compounded by a lack of training and awareness provided by the employer about what should be done when such requests have been received.
Testing these principles is a company in Scotland, Peebles Media Group, who is suing a former employee for being negligent and breaching the duty to exercise reasonable care as a result of transferring nearly £200,000 to a BEC fraudster. The employee claims that the company never provided training about online fraud. The outcome of this case will set important precedents about employee and employer obligations and duties of care when dealing with specific cybercrime incidents and the risk generally.
What needs to be done?
All the evidence supports the fact that the incidence of the BEC scam and associated financial losses are increasing significantly. In terms of sophistication, it has been characterised as ‘…a relatively low-tech type of financial fraud, but it has proved to be a high-yield and lucrative enterprise for scammers.’
There is a range of technological, procedural and awareness measures that can be undertaken to effectively deal with this risk. One of the key mitigating measures is as unsophisticated as the risk itself and that is to increase employee vigilance through appropriate training and education; especially about the existence of the latest threats and how they work, adopting a questioning mindset and establishing a culture of group responsibility for mitigating the risk.
PKF is providing a series of Integrity Forums across Australia to discuss the challenges facing organisations when it comes to dealing with cyber fraud. If you would like to learn more about these forums, please contact the PKF Integrity team.