Understanding business email scams

Payment scams conducted via email costs small and large Australian businesses hundreds of millions of dollars a year.

As the processing speed of transactions increases, the ability to freeze and recover misdirected payments is diminishing. That means we all need to be more vigilant.

The most common types of email payment scams

High-end email payment scams that target business differ significantly from regular plain-text email scams that may contain common signs like spelling mistakes or poor formatting. Instead, business email scams can be highly sophisticated and targeted.

Sophisticated scammers will seek to tailor their message to the target, most commonly imitating either a supplier known to the business, or a trusted figure in the organisation (such as the CEO, a boss or another senior executive).

Supplier payment scams purport to be from a legitimate supplier, using the legitimate branding and knowledge gleaned from research about both the supplier and the target. The most successful scam emails look exactly like a regular invoice, a payment request or a request to change account details.

Scams from ‘trusted colleagues’ will contain a fraudulent payment request, generally claiming to be ‘urgent’ and/or ‘confidential’. The scammer will place emphasis on ignoring standard payment procedures and bypassing the regular authorisations. These emails may be accompanied by phone calls or physical mail to appear more legitimate or urgent.

How do email payment scams work?

Email payment scams involve scammers using technology to impersonate a party in the transaction, or directly compromising the business’ email accounts.

Impersonation tactics

A common way this is achieved is by 'spoofing' an email address, which is where the attacker takes advantage of design flaws in email that allow the 'from' field to be modified so that the payment request appears to be originating from a trusted source.

Another impersonation technique – a ‘homoglyph attack’ – is where an attacker uses an email domain that's very similar to the legitimate sender, differing only by a few similar looking characters (e.g. conmbank.com.au instead of commbank.com.au).

Some of these attacks are tricky to detect and are not automatically flagged as suspicious by email providers or filters – meaning these highly effective scams often end up in the inboxes of unsuspecting victims.

Email compromise

Business email compromise involves scammers hacking into an email account to perform reconnaissance, intercept and redirect a legitimate payment email or create a new falsified payment email.

This compromise is becoming increasingly prevalent as businesses transition to cloud-based services, since compromise is simply a stolen username and password away.

The initial compromise can be achieved through two main methods:

• Credential phishing is when a member of staff has been tricked into entering their username and password into a fake login page. Those details are then stolen and used to log on to the system instead of the legitimate employee.
• Credential stuffing is when attackers use credentials stolen in previous breaches of other online service providers, relying on the fact that people generally re-use the same password across services.

Once access has been gained, attackers can be patient monitoring ongoing email correspondence, often waiting several months for the right opportunity. 

Attackers will usually intercept and tamper with an existing payment request email or invoice, or initiate a new payment request to a trusted colleague/supplier based on previous legitimate email correspondence.

Since these emails come from the legitimate email account, and closely mimic regular correspondence, they are near impossible to detect by email providers and are highly successful against their victims.

So, what can you do to protect your business?

All staff, business partners and processes need to assume that any email can be forged in some way. You can mitigate the risk of email payment fraud by focusing on three key areas:

1. People are the first line of defence when it comes to payment scams. The most targeted individuals in an organisation are the CFO and the payments team, but the whole organisation needs to play an active role. Ensure your staff are encouraged to question and escalate payment requests that look suspicious or unusual. Ensure staff have a high level of basic cyber security hygiene, such as strong passwords and awareness of phishing scams.
2. Processes play an important role in preventing payment scams. Large payments or changes to beneficiary details should be verified by calling a trusted number. No single person should be responsible for making payments, so adopt strict separation of duties, using multiple authorities to make and approve payments or changes to beneficiary details. CommBiz customers can implement segregation of duties by creating separate roles for entering and approving payments.
3. With respect to technology, access to online services (like email or accounting platforms) should require multifactor authentication (MFA) – typically an additional code from your phone or dongle required to login to a website on top of your password.
   Contact your IT provider to determine if they can implement anti-spoofing techniques such as Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol. It’s a good idea to implement technology controls gradually so that legitimate emails aren't blocked due to misconfigurations.
   Promptly installing software updates, enabling software auto-updates and installing a reputable antivirus program helps reduce the impact of malicious software designed to tamper with online banking payments.

What to do if something goes wrong

The quicker you respond, the more likely that your funds can be recovered.

For CommBiz customers, if you suspect you've made a payment in error:

1. Call CommBiz helpdesk immediately on 13 2339
2. Contact your account manager, and
3. Contact law enforcement.