• Minimise the impact of business email compromise in six steps

According to the FBI, business email compromise (BEC) scams have resulted in $2.3 billion in losses since October 2013.

Over half of cyber attacks reported in Australia are a result of this kind of malicious email fraud. And the problem is getting worse: between 2015 and 2016 there has been a 20 per cent increase in BEC incidents reported.

But what is BEC and how can you avoid it?

At a high level, the scam looks like this:  A legitimate-seeming email appears in an employee’s inbox and appears to be from an expected source, such as the CFO or Financial Controller. It asks the recipient to transmit funds to a third party. Often, the email has a sense of urgency, and it will appear authentic, reflecting the relationships, terminology and approval levels of the company so that the unwary employee acts to comply without question.

These requests can seem completely ordinary and many companies fall victim to this kind of attack, wiring funds to fraudulent accounts from where, once the fraud is discovered, there is little prospect of recovery. Adding insult to injury, many companies launch costly investigations when the scam is discovered, effectively to prove a negative (that their IT systems were not compromised) and in the process distract the organisation further from their day-to-day operations.

The best defence against BEC scams is prevention.

How to prevent BEC fraud in six easy steps

1. Revisit your wire transfer protocols

  • Limit the individuals who are authorised to approve funds transfers
  • Consider varying the transfer amount thresholds periodically for each approver
  • Require two forms of authentication (such as an email followed by a phone call) to initiate wire transfer requests
  • Segregate approval responsibilities from requesting responsibilities. Fraudsters do extensive research online (including on social media and social networking sites) and work hard to simulate requests that resemble your business’ normal workflow

2. Train employees on similar scams and fraud schemes

  • Integrate BEC and cyber risk training into established training programs within your organisation. This should not be a one-off experience
  • Train finance employees to be suspicious of requests for secrecy and pressure for immediate action
  • Reinforce existing good practices and established workflows. For example, if a request to transfer funds wouldn’t normally arrive via email, it should be treated with suspicion
  • Encourage employees to report something suspicious, possibly by a hotline or anonymous reporting procedure

3. Revise your data security procedures

  • Consider asking your employees – as well as consultants and vendors who have access to confidential data about your payroll and reporting relationships – to sign confidentiality agreements
  • Regularly review which employees have elevated access to key systems, and ensure strict controls protect from misuse
  • Ensure role changes are reviewed against system permissions. For example, an employee with the ability to set up vendors should never have responsibility for disbursements added to their role
  • Identify and secure any sensitive data repositories, such as key file shares, secure sites, and crucial aspects of the general ledge or banking applications

4. Improve security on web-based email and applications

  • Enable two-step or two-factor verifications for access to your network
  • Introduce additional controls for accessing and monitoring critical systems, including bank systems, accounts payable check runs and sensitive financial records

5. Test and improve your enterprise-wide technology

  • Implement and maintain an incident response plan to minimise the impact of a BEC attack
  • Update and patch your operating system, and any systems used for anti-phishing and malware detection
  • Identify similar domain names to your own, and consider purchasing to remove them from circulation
  • Create or leverage a system to flag emails with email addresses that are subtly different to your own (for example, .co versus .com)

6. Remediate identified issues

  • Involve counsel in your gap assessment and/or remediation efforts – this can reveal control deficiencies in key areas

While none of these steps is a silver bullet, discussions with qualified advisers can help to identify your weaknesses before a BEC fraud is perpetrated on you. It’s important that you take the above basic – but powerful steps – proactively to protect your organisation.