Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
The Australian Competition and Consumer Commission (ACCC) is urgently sounding the alarm about a major rise in business email compromise (BEC) attacks. These attacks weaponise compromised email accounts to impersonate trusted senders and trick the target into making fraudulent payments, giving up sensitive info or downloading malware. Since they’re often the ones authorising business payments, accounts payable (AP) teams are common targets.
The growing threat has prompted the ACCC to release a guide for protecting yourself, including the need for training and awareness. By spotting a BEC attempt, you could save your business thousands in both direct and indirect costs. According to the Australian Cyber Security Centre (ACSC), the average loss per successful BEC has increased to over $64,000.
So let’s take a look at how to spot one of these attacks.
One of the first components you should look out for in a spoofed email is the email address. Depending on which email provider you’re using, emails may sometimes display the name of the user. For example, it may have the person’s name or initials as their display picture.
If you suspect a fake email, always look carefully at the actual email address and the domain name, not just the sender’s display name. This is displayed in the fake email below where the sender’s name “Mel Adams” has misspelt the domain name by including an extra “l” in the domain name. Many people might not notice this at first glance.
However, when you check carefully, you’ll notice the domain name is a red flag.
Source: Pratum
It’s important to note that attackers are getting more sophisticated, though. Even if you recognise and trust an email address, a malicious actor might have compromised the inbox of your supplier or contact (more on this in step #3).
Another red flag is emails that contain malicious links or attachments. In the image above, words that are highlighted and underlined usually have an attachment. In this case, “Review your quarantined messages here” contains a suspicious link.
By clicking on a malicious link, you may be downloading a virus, trojan or any other type of malware that can compromise your computer or network. These tactics are potent because they can look so much like the usual links and attachments you might receive from colleagues.
That’s why it’s generally best practice not to click on links or attachments in an email. Your default assumption should be that email with links or attachments needs a closer look, unless it’s a message you’re already expecting to receive.
Even when emails come from recognised senders, you still need to be careful. Sometimes the call is coming from inside the house.
Also known as an email account compromise (EAC), attackers can gain access to the accounts of trusted colleagues or vendors. Attackers often investigate and research their targets, creating a sophisticated plan to defraud your organisation through legitimate email threads.
In this case, the attackers have taken over Michael Adams’ email account and have planted their attack. One way to confirm if the email is genuine is to verify with the sender by using other communication methods like phone calls or video calls.
To create a sense of urgency, cyber-criminals may send suspicious emails at times when you least expect it. For example, attackers may send you scheduled emails during:
When a scammer has infiltrated your employer’s email system, they’re far more likely to understand when to send you a timely response. They’re hoping to catch you off guard, when you least suspect an attack or are less likely to spend time verifying the email.
Whenever you see an email calling for immediate action, take a moment to pause and read the email carefully. If the email is unusual, follow up with a phone call to ensure the request is genuine.
Source: Microsoft
Along with the timing of the email, the contents of the email are just as important. Here are a few examples a BEC attacker may use in a phishing message:
Scammers are known to play psychological tricks on your AP team by sending messages that play on:
In a business email compromise, the goal of the scammer is to obtain financial information from their victims by defrauding your organisation. BEC scams typically use subject lines or emails that imply urgency regarding payment inquiries or fund transfers – for example, “payment – important” or “quick request.”
They may impersonate your CEO or CFO and request you to pay to another bank account in an invoice or pay a vendor’s bank account that has been compromised by the attacker, once the funds have been transferred.
In unfortunate cases, successful BEC or phishing attacks can lead to a loss of sensitive information including credit card details and other- personal information. This gives the attacker the ability to commit further fraudulent activities like selling personal information on the dark web, similar to the recent Optus data breach.
Identifying warning signs in an email from an attempted BEC attack could save you thousands of dollars.
By incorporating security awareness training and simulating BEC attacks, your AP staff can become more comfortable in spotting phishing emails that contain all sorts of malicious techniques. This is why security awareness training is necessary. Unfortunately, to an untrained eye, a phishing email could seem like a genuine email from a vendor or senior executive.
However, by integrating Eftsure into your accounts payable function, you’ll add a layer of risk mitigation. Whether a BEC incident has occurred within your organisation or a partner organisation, Eftsure can minimise your chances of experiencing some of the most damaging consequences of a successful attack – that is, fraudulent payments.
Our solution is designed to alert your AP team in real-time that payments are verified, using easy-to-understand, user-friendly alerts on your online payments screen. Our alert system will confirm whether you’re paying the right BSB and account number or if there needs to be further verification.
Contact Eftsure today for a full demonstration of how we can help minimise the risk of a BEC attack or download our incident response guide to learn more.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.