Keeping your small business safe from fake email scams

According to ScamWatch Business Email Compromises are now the most financially harmful scams affecting Australian businesses. Australian businesses reported losing over $132 million in 2019 alone. 🤯

 
 

One large payment to the wrong account can quickly put a company out of business.

fake email scams and bec.png
 
 

The team at Cynch has seen the devastating effects that fake email scams (aka Business Email Compromise or CEO fraud) can have on small businesses.

This type of crime has become increasingly popular amongst scammers as they have discovered tricking someone can be far easier and reliable than trying to bypass increasingly sophisticated security systems. 😔

 

What is Business Email Compromise?

Business Email Compromise (or fake email scams) is when a criminal impersonates someone over email, typically with the goal of convincing you to send money from your business to a fraudulent bank account.

Criminals will typically do this by:

  • Modifying legitimate invoices or payment instructions to include their own account details;

  • Impersonating senior management requesting urgent a money transfer for a supposedly legitimate business purpose;

  • Impersonating real estate agents, lawyers or another business during a large financial transaction (e.g. buying a property);

  • Pretending to be someone from your team and requesting a change of account for wages.

  • We’ve even seen fraudsters use copies of actual Company Update Payment Details forms for this type of crime!

 

How do fake email scams work?

A criminal looking to run a fake email scam will typically start by doing a bit of research on their targets. They’ll trawl through any public information they can find on your business for information that will help them seem convincing over email. Your public website and LinkedIn pages are prime sources for this type of information.

Depending on the motivation of the cybercriminal, they might spend a bit of extra time looking into what the CEO or finance executive is up to so they can use something like a holiday as cover for their actions.

Scammers are nothing if not patient and will wait until the perfect moment to strike, even if it doesn’t come for months.

Once they’ve picked a target and a time to attack, they’ll look for ways to approach you as someone you commonly do business with. They might try to hack into their email account so they can send legitimate emails or just send something impersonating them from an account that is really similar.

Once they’ve convinced you you’re talking to the person they’re impersonating they’ll send an email or updated invoice detailing where they’d like you to send your hard earned funds.

More often than not, someone targeted in this type of scam won’t know they’ve been had until weeks later when someone calls to follow up  on a missing payment.

 

How should small businesses respond to fake email scams?

If you believe you’ve been targeted by a fake email scam there are some critical key steps you should take::

  1. Stay calm, you’ve got this! 💪

  2. Contact your financial institution and let them know what’s happened. 💸

  3. Contact your IT support provider if you have one 🤓

  4. Report it to cyber.gov.au and follow any advice they provide 👮‍♂️

  5. If you suspect your identity has been stolen, contact IDCARE 🆔


Studies show that victims of BEC are often targeted by cyber criminals multiple times. Whatever you do, don’t ignore the incident and hope it won’t happen again!

 

Why are fake email scams targeting small businesses so successful?

There are a stack of reasons why Business Email Compromise and fake email scams are popular amongst cyber criminals:

One simple message could be all it takes to earn your trust and open your business up to business email compromise.

One simple message could be all it takes to earn your trust and open your business up to business email compromise.

  1. They are hard to detect and protect against as they target vulnerabilities in people, not technology.

  2. Fake emails usually look close to identical to something you’re expecting and will catch you off guard.

  3. Some fraudsters will follow-up with phone calls to seem more legitimate and reinforce the scam.

  4. Scammers are patient and will wait until the perfect time to strike, usually when you’re stressed and in a rush.

  5. If the scammer impersonates someone senior in your business, others in your team might not question what’s asked of them.

  6. Successful scams can go weeks undetected leaving plenty of time for the money to disappear.

 
Cynch cyber boot camp program

Start protecting your business from fake email scams, BEC and much more today with our small business Cyber Boot Camp program.

 

What can small businesses do to protect themselves against fake email scams and BEC?

The first thing to focus on when securing your business against fake email scams is ensuring your email accounts are well protected. 

Some key actions that will help avoid your own email accounts getting hacked or impersonated include:

  • Enabling multi-factor authentication (MFA or 2FA) wherever possible;

  • Implementing SPF, DKIM and DMARC;

  • Implementing additional email filtering if things are getting through;

  • Monitoring any email forwarding rules that may have been set up; and

  • Configuring your email host to flag dangerous attachments;.


You should also ensure your computers are well protected incase something dodgy makes it into your inbox:

  • Ensuring your operating system and applications have the latest security updates installed; and

  • Check that antivirus and firewalls are in place.


The digital profile of your business and executive team will help criminals target you so make sure you review the things you’ve shared and are mindful of how that could be used against you.


Lastly, if someone does target you and makes it through to your team, the following measures will go a long way to preventing any significant harm coming to your business:

  • Implement a process to verify high-risk transactions;

  • Share incident reporting procedures with your team;

  • Educate your staff on:

    • spotting dodgy emails;

    • Reviewing the information they’ve shared online