5 – How to Avoid Business Email Compromises in your Small Business

by | Jan 12, 2023 | Podcast

Business Email Compromises were the most prevalent attacks we saw on Australian Small Businesses in 2022.  We look at what they are and the steps you can take to protect your business and your bank account.

Cyber Security 4 Small Business is a set of resources to help small business owners understand different cyber attacks in Australia today and how small businesses can defend their network in the most cost-effective way possible.

We believe that 95% of Cyber Security and Cyber Resilience can be achieved through good systems administration and good processes, without all the expense of engaging cyber security experts.

In today’s world, email continues to play a very important role when conducting any business. Given that, your business email also becomes a target to attackers for fraud. And these attackers have already made their move. Today, in Australia, we’ve seen that Business Email Compromises were the most prevalent attacks against small businesses in 2022. In this episode, we look at what a Business Email Compromise is and what steps you can take–as a small business owner–to protect your business, and eventually, your own bank account as well.

Understanding Business Email Compromise and the Malicious Methods Used

A business email compromise is a type of cyber-attack that criminals use to trick companies into sending money to an attacker’s bank accounts. Once we have a hacker accessing the entire email system of your business, they may:
● Read through all the incoming information from all the emails
● Send emails that appear to be from your organization

For hackers to get inside an organization, they often study the organization to get a good understanding of the people involved. They observe the organization and its employees heavily. Cyber criminals also take note of individual mannerisms so they can properly fool their victims.

Here are a few things attackers try to uncover once they are inside a business’ email systems:
1. Who is the owner of the email they have?
2. Who has power over the payments?
3. Who makes those payments?
4. They observe conversations closely among employees
5. Who are the customers?
6. How does this business reach out to their customers?
7. How does this business talk to its customers?
8. How are all the different invoices related?
9. What is the business / email sender’s tone? Is it friendly or formal?
10. Who are their names
11. What other accounts do the employees use?

Once the attackers have collected the information, they can start to create fake invoices that they send out to targeted recipients. It is difficult for the recipients to identify if the invoices are legitimate since they are sent out from a legitimate business email system.

It is also rare for attackers to target a single email. Hackers usually want to make things worth their while so their methods involve casting a wider net by sending out multiple emails to get as many chances as possible at hitting a lucrative source.


Real-Life Examples of a Business Email Compromise Attack in Small Businesses

A common misconception is that small businesses are immune to these attacks since their revenue isn’t as large as big companies. But based on the data we’ve seen, we found that businesses regularly lose an average of $10,000 and get stolen via compromised business emails.

To better understand how attackers conduct Business Email Compromise Attacks, and to also witness the ever-changing methods, these attackers use, here are a few real-life examples of small businesses falling prey to these cyber attacks today.

Case 1:
The first case is from a property services company that suffered from an internal attack. The person who handles the accounts received an email from the owner. In the email, the hacker–posing as the owner–requested the accounts person to pay another company.

Seeing that the email was from the actual owner, the accounts person completed the request by sending out payment. The actual owner then arrived denying that such an email/request was made.

Fortunately, they caught on to it quickly and they were able to ask the bank to stop the transaction immediately. By being able to contact the bank, they were able to mitigate a potential loss of around $7,500.

Case 2:
The second case is from a construction company where their accounts person was reaching out to their customers to follow up on some payments. The customer then looked at their transaction history and found that they had already paid the company two weeks ago. The customer then sent a copy of the invoice that they paid to their account’s person. The accounts person then noticed that the account number listed on the invoice was not the companies.

Tragically, since weeks had already gone by, the money was gone and can no longer be returned.

Case 3:
The third case is a professional services and engineering company. This scenario is the exact opposite of the second case. Instead of the company’s email system being compromised, it was the suppliers. The company received a phone call from the supplier asking payment for the goods. The accounts person goes through their records and finds that they have paid it already. They noticed the bank account and BSB (Bank State Branch) number had been changed.

The tragic part of this exchange though is that the company still wants to be paid. The customer believes they already have paid. Where it gets sticky is even though they paid into the wrong account, the customer would still owe that money and are required to pay it by Australian law.

Best Practices to Avoid a Business Email Compromise

Gone are the days when you could rely on bad spelling, bad grammar, or a bad email in general to give it away. Nowadays, you cannot even trust the email source since it will be coming from your own domain. That is why, it is best to understand the current methods these attackers use so you will know how to protect your own organization. It is also important for your own defensive techniques to evolve as quickly–and as often–as the attackers’ methods change.

How can you minimize your risk of a business email compromise?
In all the three cases we mentioned, all three businesses were using Microsoft 365 and they all did not have MFA (Multi-Factor Authentication) activated, leaving them totally vulnerable and open to even the simplest cyber-attacks. even more so much more complex and tricky methods. Today, attackers have found numerous ways to get in an organization’s system. Some of the most common ones are through:
● A compromised Admin accounts
● Keyloggers
● Brute force

Here are some good practices that can help protect your business online and against cyber attacks today:
1. Activate MFA
To ensure that every login is secure, having Multi Factor Authentication pairs every login in an application with a separate code authentication on another device or application for confirmation. Some of the good tools to use for this are Duo and Google Authenticator.

2. Establish good workflows around payments
You might have all the protection within your own system, but the other side could falter in their defense. That is why it takes multiple organizations to protect each other properly and effectively. It is best to document and understand your organization’s workflow. Some of the items a business should understand include: Who does what? When and what is done at certain times, and where does the payment go? Most especially, it is important to track down the changes made to some documents used in the business, such as PDFs or Invoices etc.

3. Practice good password hygiene by using strong passwords
Passwords have been a staple ever since the beginning of the digital age. But as attacks evolve, so do the password strength levels. You used to just use any assortment of words for a password but now, you usually require unique combinations to have a strong password. Some of the good password practices are:
● Your password to your banking email must be unique and strong since this is the one that has actual access to your money
● Email passwords should be unique in the sense that they are essentially entry points to your system
● Basically, any accounts involved in the small business should have decent passwords if they are involved in any way in your business
● Make sure your password has a strong form. A common suggestion is that it should be a phrase with all the necessary requirements for a strong password (capital letters, numbers, special characters) that helps hinder brute force

What do you do if you’ve discovered you’ve been a victim of a business e-mail compromise?

If you are in an unfortunate position that you have been hit by a cyber-attack, it is easy to be disheartened and just give up. But that should not be the case. Here are some of the things you can do after an attack:
1. Contact your bank and tell them about the situation ASAP and see if they can stop it
2. Report the incident to the Australian Cyber Security Center
3. Change all passwords on all accounts immediately
4. Enable MFA on as much accounts as possible
5. Look for which information has been stolen (usually in email folders)
6. Assume every email account has been compromised. Isolate them immediately
7. Reach out and notify stakeholders when you’re ready.

Got any questions on how to avoid business email compromise attacks in your small business and how you can learn how you can protect your business and be safe online; you can reach out to us anytime. We help organizations understand the various ways they can protect their business amidst the cyber-attacks today.

Cyber Security 4 Small Business is a set of resources to help small business owners understand different cyber attacks in Australia today and how small businesses can defend their network in the most cost-effective way possible.


Understand your cybersecurity risk for your small business

Try our FREE Essential 8 Auditor Tool