Financial losses caused by fraudulent requests for payment sent by email now count among the most realised cyber risks to Australian businesses.
“In Australia, reports of losses from payment fraud have grown in recent years,” shares Martha McKeen, Cyber Outreach Senior Manager at CommBank. “There has been a rise in the number of Australian businesses reporting payments made to attackers after a compromise of their email account or that of an entity they do business with.”
Attackers capitalising on lack of awareness
Email payment fraud, also known as business email compromise, is a low cost option that allows attackers to gain access to business email accounts and perpetrate social engineering scams that trick victims into unwittingly giving away their credentials (usernames and passwords). It capitalises on a lack of awareness among staff of key indicators of fraudulent emails and insufficient technical controls.
Credentials (usernames and passwords) are typically stolen in one of two ways: via phishing campaigns or via data breaches of other online services. In both cases, attackers rely on fundamental human flaws. “When an email commands a sense of urgency or purports to come from a person or entity of authority, users often feel pressured to comply with a request without checking the authenticity of the email itself, its sender or the links contained within,” Martha says. “And because we often struggle to manage sets of credentials across many accounts, we often create weak passwords and re-use passwords across multiple online services. Both of these habits can get us in a lot of trouble.”
As a result, today, there are several billion pairs of previously stolen credentials available to attackers on the black market, with fresh streams of credentials offered up for sale at low prices on a routine basis.
Reconnaissance and tampering with transactions
A key risk for Australian organisations, business email compromise occurs when attackers gain unauthorised access to an email account with the intention of intercepting and modifying legitimate communications between two parties.
Ideally they are looking for large value payments between two companies, but they have also been known to tamper with payment details for other large transactions between individuals and small businesses, such as property settlements.
“Attackers will search inboxes for evidence of invoices or other messages that relate to processing large payments, and set auto-forwarding rules to send future emails to their inbox to continue to monitor communications,” says Martha. “They can then intercept requests for payment, change recipient details and send them on to the intended recipient, or make a new request for payment using existing supplier invoices as a template.”
Identifying suspicious payment requests
Martha warns that attackers can undertake considerable research about victims and their business relationships in order to forge convincing requests for payment. "By doing this, they can encourage their target to make a payment quickly without triggering scepticism or caution,” she says.
In some cases, an email lure is paired with phone calls or physical mail to legitimise the request. Some key indicators of suspicious payment requests can be:
- The request claims to be urgent and/or confidential
- You are requested to ignore standard payment authorisation processes
- The request includes grammatical and spelling errors (but not all the time!)
- The type of request and the language and formatting are unusual for the supposed sender
- The ‘reply to’ email address can be different to the sender’s address.
Defending against email payment fraud
“People and processes are key when it comes to defending against payment fraud,” Martha says. “CFOs and payment teams in particular need to play an active role in your organisation’s defence.”
The best mitigation for payment fraud that makes use of spoofed emails is to adhere to industry standard processes for making and authorising payments:
1. Make use of multiple authorisers for payments and enforce strict separation of duties.
2. Require large payments or change of beneficiary details to be verified via checks in alternative channels. No payment should be authorised on the basis of a single email.
3. Train staff to question and escalate payment requests that look suspicious.
4. Whitelist use of your domain for sending email using SPF (Sender Policy Framework) and DMARC (Domain Message, Authentication, Reporting and Compliance) anti-spoofing standards.
5. Encourage your staff to level up on the creation of longer passphrases. Length beats complexity for passphrase strength. Also ensure staff do not re-use their passphrases.
What to do if you have made a payment in error
“If you realise you have been tricked into making a payment, it is critically important to call your bank as soon as possible,” Martha says. “It’s also important to register the fraudulent request for payment with law enforcement.”
CommBank’s Signals Email Payment Fraud summary contains more information to help educate your team about email payment fraud, including six things you can do in an hour for better security.
 The Australian Competition and Consumer Commission’s (ACCC) Scamwatch reported that the number of BEC scam incidents has increased by a third in 2018, with reported losses reaching AU$2.8 million dollars.