The rapidly growing technological landscape has resulted in Australian Small & Medium Enterprise's (SME) being targeted by foreign and domestic threat actors. Considering it as an extra financial burden a lot of these SME's ignore cyber security as a feasible area to invest. The growing threat of Business Email Compromise (BEC) has triggered an important security alarm that must be taken seriously by Australian SMEs. Cyber threats such as BEC can be countered by implementing certain best practices that are recognized globally by the infosec community.
How does BEC Exploits Work its Way Towards Tricking Companies?
In an ideal situation of business emails getting compromised, an imposter might hijack the email account of an organization leader and then shoot a message to a designated personal in the finance department to transfer funds to a bank account. Such attacks are however not that straight forward and a lot of research is done before executing them.
BEC scams are successful if the threat actor can find out the right people governing the business and study the chain of commands revolving around these influential people in an organization. A fraudulent email directed to the right people within the company by an executive authority of the company can easily lead to an undesired monetary transaction. Researchers often refer to BEC as “CEO Fraud” due to the fact that 43% of the impersonated senders of fraud emails are CEO or the founder.
The fact that the losses accounted by such scams has increased by 136 % between December 2016 and May 2018 shows that BEC campaigns have been widely successful. The effort and research required to execute a BEC scam might be more, however reports suggest that it is one of the most impactful cyber-attacks.
How Can Australian SME's Protect Themselves from BEC Scams?
Some of the standard operating procedures that can be implemented and followed by Australian SMEs to stay safe are as follows
Never ever process a payment without counter-checking the details with the recipient over the phone.
Set-up an internal communications system to counter-check the details of the recipient with the relevant authorities within the company.
Since CEO or the founders of a business are mostly impersonated while waging a BEC campaign it is recommended that employees double check whether the instructions are legitimate before acting upon it.
Deploy Red Piranha's Crystal Eye devices to guard your networks from spear phishing and other types of fraudulent attempts to wage a successful BEC campaign.