Table of Contents
Business email compromise (BEC) attacks are the most common cyber threat that Australian businesses face. They’re also one of the most effective.
In this article, we’ll explain what BEC is and identify 6 common signs of BEC attacks that you and your end users should watch out for.
What Is Business Email Compromise?
Business email compromise (BEC) is a type of phishing attack. A BEC adversary will often target a user with access to financial accounts or sensitive data and trick them into transferring money, revealing information, downloading viruses, or granting accesses.
BEC attacks are relatively easy to execute and highly effective – which is why they cost Australian businesses over $80 million in losses in FY22/23. Email compromise was also the most reported type of cyber attack on businesses, costing an average of $39,000 per attack and affecting small businesses the most.
If you already have good cyber security protocols in place, a BEC-related breach is probably your biggest risk. In the rest of this article, we’ll explore BEC attacks that you and your end users should look out for.
Sign 1: Invoices From Unknown Suppliers
The most basic BEC attack is a fake invoice from an unknown supplier. The only things an adversary needs are surface-level information about your company and a legitimate-looking email address.
Generally, these emails are sent directly to the person/team that processes your finances – who, especially in larger organisations, may not know exactly what suppliers different personnel or departments work with.
Sign 2: Invoices for Work/Products Not Requested
False invoice scams are a staple BEC attack. An adversary poses as a legitimate supplier and sends you an invoice for work or products that haven’t been requested.
If you pay invoices and are directly involved in all day-to-day operations – which will only be the case if your business is very small – you’ll probably spot a false invoice scam quite easily.
But what about larger businesses? There are a few warning signs your team should watch for. If you have a purchase order (PO) system and receive an invoice that doesn’t match a PO number, don’t pay it.
If the invoice doesn’t line up with past invoice amounts and/or frequencies for that supplier, always double-check with the person or team that manages them.
And always look at the sender’s email address – has it changed in any way? Often, adversaries will spoof addresses by changing a single character or replacing a Latin character with an identical-looking one from another alphabet like Cyrillic or Greek (which is why your email filters should automatically block addresses containing non-Latin characters unless you deal with international customers/suppliers).
Sign 3: Bank Account Changes
The most effective BEC attacks involve an adversary gaining access to a supplier’s real email, monitoring communications, then issuing an invoice with the wrong bank details.
You, as the customer, are expecting the invoice – the only change is that your payment will go to the adversary, not your supplier.
In some cases, an adversary will even wait for a supplier to send their invoice, intercept that email, modify the details, and then pass it on to you.
Everyone believes the invoice has been issued correctly, which makes identifying the attack incredibly challenging.
(Bank account changes can occur even if your suppliers send invoices from an accounting service like Xero; most platforms have number-matching authentication, but frameworks like Evilginx2 – which ‘steal’ the session tokens that authenticator apps use – can still allow adversaries to gain access and issue modified invoices.)
Sign 4: Known Contacts Sending Unusual Attachments
An adversary’s goal isn’t always to commit invoice fraud. Sometimes, they’ll want to establish a foothold in your network – or spread malware that does that for them.
One of the easiest ways for them to do that is to gain access to an individual’s email, then send emails to that person’s contacts (which could be inside or outside their organisation) that contain compromised attachments or links.
OneDrive, OneNote, Dropbox and Google Drive files are all popular vectors because they seem legitimate. End users can see previews of the file in their email, already trust the sender of the email, and may regularly exchange files and links with that person.
Watch out for contacts sending unusual attachments that you aren’t expecting – especially if the email doesn’t sound like it was written by them.
Sign 5: Authority, Urgency, Freebies and Fear
Let’s say you’ve done all the right things. You’ve set up your firewall and quarantine rules, your accounts team have robust procedures in place, and your end users have a basic level of cyber awareness.
What happens when a BEC attack gets through your first few layers of defences anyway? How can you spot it?
The key: look out for psychological red flags. BEC attacks are, ultimately, exercises in social engineering. Adversaries will work to exploit the biggest vulnerability your IT environment has – your people. The 4 major red flags are:
- emails that come from authority figures like executives or HR (such as a request to review an attached document, make an unexpected payment, or fill out a survey)
- emails that are designed to invoke urgency (such as a high-priority request sent late Friday or a reminder to jump on a video call that starts in 5 minutes)
- emails that offer freebies or discounts (such as free gift cards from management or half-price coffee at the on-site cafeteria)
- emails that deliberately induce fear (such as a threat of legal action for non-payment of an invoice).
Sign 6: Unexpected Emails
Some of the most effective BEC attacks are the simplest. For example, an adversary might impersonate a well-known company in your sector and send out a marketing email (such as a promotion or newsletter) that perfectly mimics that company’s normal communications.
Your end users haven’t signed up for those email communications, so they click the ‘Unsubscribe’ button at the bottom of that email – but that link is actually compromised.
Another possibility: a BEC attack could appear to be a system notification from a piece of software your team uses. It might be an exact replica of the standard notification, but featuring a compromised version of the link that users would normally use to action the notification.
An adversary could even send a suspicious email and then include a legitimate-looking ‘Report This Email’ link at the bottom, which your users – having been trained to do the right thing and flag all phishing attempts – mistakenly click.
Next Steps
Knowing what the signs of a BEC attack can look like isn’t enough. You also need to develop defence in depth – that is, combine and layer different countermeasures like anti-phishing software, clear SOPs for accounts staff, and ongoing cyber awareness training for end users.
Because, ultimately, your organisation will be exposed to BEC attacks. Whether they cost you tens of thousands of dollars or are quietly flagged as spam depends entirely on how effective your security posture is.
We’ve helped more than 500 businesses across Australia harden their emails and train end users. If you’re concerned that your BEC defences might be less than ideal, get in touch with us to find out more about how we can help.
