Go to top of page

Small businesses losing profits to sophisticated email scams

12 October 2018

Can your business afford to lose $10,000 to a scammer? Learn how to spot a scam and keep your business safe.

For months Melbourne retailer Phoebe Bell believed she was emailing one of her suppliers. In reality she was communicating with a cybercriminal who would eventually steal $10,000 from her homewares business, Sage & Clare.

Business email compromise, or BEC, is an online scam where a cybercriminal impersonates a business representative to trick an employee, customer or vendor into transferring money or sensitive information to the scammer. The scammer does this by using an email address that closely resembles the business representative’s email address. The scammer might even gain remote access to the business representative’s actual email account.

Because BEC scams are usually well-researched and rely more on social manipulation than technical exploits, they can get past anti-virus programs and spam filters.

Bell says she never had any reason to doubt she was communicating with the real supplier. ‘The language, tone of voice, fonts, graphics – it was all the same,’ she points out. ‘This was a highly polished scam created purely to target small businesses and fleece them of their hard-earned money.’

After Bell paid the supplier, a series of strange emails saying there had been a problem with the payment prompted her to call the supplier directly. The supplier said they hadn’t heard from her in months, at which point Bell realised she’d been the victim of a scam.

When reflecting on what BEC has cost her, Bell notes that ‘it’s a big loss for a small business … it hits hard.’

Bell believes cybercriminals see small businesses as easy targets because they don’t usually have many account processes in place. To prevent your small business from falling victim to BEC, she recommends picking up the phone and speaking directly to your suppliers before paying accounts. She also advises using contact details you’ve found independently, rather than those provided in an email.

You can also protect your business from BEC by teaching your staff to be on the lookout for the following warning signs:

  • They’ve received an unexpected email (for example, from a supplier they haven’t dealt with recently, or from a senior employee of your business who wouldn’t typically deal with payments).
  • A supplier has provided a new bank account for payments.
  • The sender is requesting urgent payment and/or threatening serious consequences if payment isn’t made.
  • The sender’s email address doesn’t look quite right (for example, the domain name doesn’t exactly match the supplier’s company name).

It’s also possible for your business email accounts to be used in a BEC scam. To stop this from happening, implement two-factor authentication so that scammers can’t use any login credentials they may have tricked an employee into supplying. You should also develop and maintain good security controls for your internal network so scammers can’t use it to gain access to your email accounts.

More information and reporting

Read more about how to improve your cyber hygiene.

Scams can be reported to the Australian Competition and Consumer Commission’s Scamwatch.

If you’ve been a victim of BEC, report it to the Australian Cybercrime Online Reporting Network (ACORN).