What is Business email Compromise?
Business email compromise involves fraudulent access (or “hacking”) of an organisation’s email communications to scam both customers and the business out of money or goods. Criminals can alter bank details on legitimate invoices, or impersonate businesses (by using similar names, domains and/or fraudulent logos), posing as a legitimate organisation.
Scams associated with business email compromise include:
- Invoice fraud: Criminals compromise a vendor’s email account and gain access to legitimate invoices being sent to customers. The criminals then edit contact and bank details on those invoices and send them on to the customers from the compromised email account. The customer pays the invoice, thinking they are paying the vendor, but instead are paying the criminal.
- Company impersonation: Criminals register a domain with a name very similar to a large, known and trusted organisation. They then impersonate the organisation in an email to request payment of invoices or updating of payment details of accounts that may be held with the real organisation.
The Australian Cyber Security Centre (ACSC) advises to look for the following warning signs:
- The supplier sending the invoice has provided new bank account details.
- The email was unexpected. For example, the invoice came from a supplier you have not dealt with in a while, or the payment amount differs from previous amounts.
- The email asks for an urgent payment or threatens serious consequences if payment is not made.
- The email was sent from someone in a position of authority, particularly someone who would not normally send payment requests.
- The email address does not look quite right. For example, the domain name does not exactly match the supplier's company name. Double-check by looking at previous correspondence.
The ACSC also advises to establish a consistent process for checking all payment requests and requests for sensitive information. If you receive an email requesting payment to an account number you have not paid before, or asking for any personal information from you, call the company on their publicly listed phone number and confirm the validity of the email.