Cybercrime is on the increase and Tasmania is not immune. A recent Tasmania Police media release1 has identified the prevalence of sophisticated cyber criminals targeting individuals and organisations across the state. Cyber criminals are using sophisticated methods of online social engineering, including stylised and targeted phishing emails, commonly known as Business Email Compromise (BEC), to de-fraud organisations across Tasmania. In one recent example an organisation suffered a loss in-excess of $200,000 from a single incident.
What is BEC?
BEC occurs when attackers use compromised or fraudulent email addresses to target specific employees within organisations requesting a ‘legitimate’ transaction to be processed or changes to be made in key payment/supplier information. These sophisticated emails either appear to be from a senior member of the organisation to gain access to or make a request for funds or changes in payment details.
How prevalent is BEC?
A report3 by the Federal Bureau of Investigation highlighted that in the last two years over US $3.1 billion was lost to BEC crimes. The Australian Competition and Consumer Commission’s Targeting Scam Report4 states that in 2015 AU $84.9 million was lost to scams in Australia and over 100,000 reports of scams were made. In Tasmania alone, Tasmania Police reported fraud offences have increased by 26.4% since 2013 with cyber fraud constituting 25.4% of all fraud offences in Tasmania in 2015-20165.
How does BEC occur?
Cyber criminals are using publicly available information from organisation websites, directories, databases and social media platforms to target specific employees within organisational areas such as finance, human resources and senior management. Below are five types of BEC that can occur in your organisation:
How can you identify and avoid BEC?
In order to avoid becoming a victim of a BEC scam, individuals should take the following precautions when actioning emails:
Independently verify – Contact the person making the request via phone or in person to confirm the request.
Content – Does it ask you to click on an unfamiliar link or download an attachment? Does the email contain errors, or is it illogical or unusual in its language or request?
Hyperlinks – If you hover the mouse over a hyperlink, does the content match the actual link?
Attachments – Is the title or format unfamiliar or different from the request? The only file types that are always safe are .txt files.
Address – Does it match the business name, are there discrepancies in the spelling or order of the name if internal, or is it from an outside source that is suspicious?
Subject – Is the subject irrelevant or different from the content of the letter? It may state that it is a reply to an email you have not sent.
How can you reduce the risk of compromise to your organisation?
Reducing the risk of BEC compromise requires technical, procedural and educational controls in order to be secure, vigilant and resilient: