Is that email really from your boss?

It’s hard to say no when you receive orders from the boss. And that’s exactly why business email compromise scams have been successful lately. So successful, in fact, that they’ve defrauded businesses around the globe of almost AU$3billion in just two and a half years.

That’s why, as someone running a small to medium business, its important you understand how to protect your organisation.

The business email compromise scam happens when a fraudster impersonates a senior member of staff to trick someone at the company to transfer funds to the fraudster’s account.

While that may sound simple enough, the scam can be quite sophisticated in the way it’s put together – with many months of detailed planning going into the end result. It’s that level of sophistication and complexity that can also make it very hard to detect.

A scam that’s built on intelligence

Business compromise scams are often multi-stage operations that start with intelligence gathering. The first sign that a scam is underway could be an innocent phone call to reception to find out who looks after accounts. Alternatively, it might be a recruiter or a supplier looking to update their database. Whoever they pose as, the scammer will be looking for one thing: the details of the people in your organisation who hold the purse strings.

Then again, scammers don’t always even have to make contact to start mining your business for information. Very often it will be enough just to troll through the information that’s publicly available on your website, LinkedIn profiles or other social media accounts.

But that still leaves a lot to chance: especially the chance that an employee will fall for an email that comes from an address other than yours.

So some of the most effective email compromise scams go several steps further. 

Getting to know you

Because the scam is based on impersonation, some fraudsters will try to access to your computer by getting a staff member to unwittingly download malware or breaching your servers through whatever means they can. Once they’re in, they’ll check your calendar to find out exactly what you’re up to: who you’re meeting with, what’s on your agenda and your appointments.

After all, a good email compromise scammer often relies on knowing the movements of the person they ultimately want to impersonate. That way they can strike when your employees are at their most vulnerable – while you’re out of the office.

The scammer will also spend time reading your emails to discover how you relate to others and taking note of the way you write: your tone, common expressions and how you sign off. When the time comes for them to send an email asking for that urgent transfer of cash, chances are they’ll sound exactly like you.

This very scenario happened to toy manufacturer Mattel, when a scammer impersonated a newly appointed CEO. The scammer asked for an urgent payment to be made to a China-based supplier. The total loss to the business… US$3million.

So, when an email comes straight from your email account while you’re away and it sounds like you, knows where you are and what you’re doing, what reason would a staff member have not to comply?

How to protect your business

To protect your business against an email compromise scam, the first step is to brief every member of staff – particularly those who look after company accounts – on what to look out for. Let them know that alarm bells should ring whenever someone out of the office asks for funds to be transferred urgently. The bells should ring even louder where the urgent needs for funds is also accompanied by a request to circumvent the usual processes.

On top of that, you should always:

1. have strict protocols for dealing with any request for money, including internally, and communicate these to all staff. Never let anyone deviate from your protocol for any reason, even if it’s you making the request
2. follow up any request with a phone call if the person is out of the office or if a payment is over a certain amount. When you do, make sure you call the person’s usual number and not any number they’ve given you in the email
3. make sure your employees read emails carefully. While scammers may be very good at impersonating you, they may not be perfect – especially if they’re outside of Australia and don’t have English as a first language
4. have people bring any suspicious emails to your attention, so that you can report the activity to Scamwatch.

A variation on the scam

Finally, it’s worth noting that the fraudsters perpetrating this scam won’t always try to impersonate someone inside the company. Instead, they may go to great lengths to pose as one of your suppliers. This could include hijacking their computer, reading their emails and gaining access to their banking details and past invoices.

They’ll then email your accounts department, asking them to substitute the bank account on file for their own.

To avoid this happening to your business, it’s vital to follow up any request from a supplier with your usual strict protocols, including confirming any instructions verbally.

Want to know more?

Because they often involve substantial amounts of money, business compromise email scams can be deadly to a business. And they’re also on the rise. That’s why it’s important you keep up to date with the latest scams and how your business can protect against them on the Scamwatch website.