Sydney hospital loses $2 million in alleged BEC fraud

What is BEC?

BEC scams are a form of targeted phishing, or spear phishing, scams. Scammers use emails to pretend to be representatives of a business, use compromised email accounts of employees, or alter payment details on invoices.

This is known as invoice fraud, or payment redirection. If the bank details aren’t verified by the business paying the invoice, the money may be transferred into the scammer’s bank account, and quickly moved offshore, making recovery extremely challenging.

The ACCC Deputy Chair, Catriona Lowe, said scammers were ‘becoming more targeted’ in how they approached Australians with fake invoices.

“This scam is hard to detect because the scammer will either hack into the email system of the business or impersonate the business’ email address by changing as little as one letter,” she said.

How to reduce the risk of BEC scams

There are a number of ways you can help reduce the risk of you or your business falling victim to a BEC scam. These include:

Turning on multi-factor authentication (MFA)

MFA requires people to authenticate themselves before accessing your business email and other systems. By enabling MFA, you can reduce the risk of unauthorised access, making it more challenging for scammers to get into your systems and then send emails purportedly from your organisation.

Registering similar domain names

Sometimes, BEC scams are carried out with domain names that are incredibly similar to your own. For example, if your business is called Bob’s Computer Repairs and has a URL of bobscomputerrepairs.com.au, a scammer might register bobscomputerrepair.com.au and send fake invoices to your clients from that domain. Other alterations to consider include adding a word (e.g. online), a hyphen (bobs-computer-repairs) or a small typo (bobscomputerepairs). By registering similar domains, you can minimise the risk or a scammer doing so.

Set up email authentication protocols

Email authentication protocols basically help prevent someone from ‘spoofing’ your email address. Speak to your email provider about adding Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC) records to your domain name. If your DNS hosting is with a separate provider, you will need to contact them also.

Have robust policies and procedures in place

As well as minimising the risk of your emails being compromised, it’s also important to have policies and procedures in place to prevent your business paying a fake invoice. After all, if you’ve paid a fake invoice, where does the liability lie? Ensure protocols are in place to check bank account details before making a first payment to a new account. Solutions such as Eftsure can help here.

The need for continual training

The majority of scams rely on human error to succeed, which is why continual education and training is important so your people are on the lookout for the right signs. From BECs to deepfakes, scammers are utilising an array of techniques and tactics to steal from individuals and businesses, and it’s essential everyone in your organisation is aware of the risks they face online.

Recovering money lost through BEC scams

It can be incredibly difficult to recover money lost through BEC scams, however, it’s vitally important to report any cyber crime to ReportCyber as soon as possible.

Last month, as part of Cyber Security Awareness Month, the Australian Federal Police (AFP) shared how the AFP-led Joint Policing Cybercrime Coordination Centre was able to recover $777,000 after a South Australian woman unwittingly transferred $813,000 to a fraudulent bank account.

The woman believed she was paying a conveyancer’s account as part of the purchase of a new home, however, fell victim to a BEC scam.