Phishing email scams are a real and growing threat to businesses all around the world. According to the Australian Government’s Annual Cyber Threat Report 2022, BEC scam losses increased by 21 percent year on year to $98 million. The report clearly shows that medium-sized businesses lost 42 percent more than larger organisations. While some types of internet crime have decreased in recent years, business email compromise (BEC) scams have grown in terms of both the number of victims affected and the total victim loss.
The holidays and the months leading up to the end of the fiscal year are prime times for these types of scams. Cybercriminals are aware that people are travelling, looking for the best online deals, trying to manage their payments, or stressed about filling out tax forms—an ideal scenario for criminals looking to exploit others.
With the rise of phishing emails, there has never been a better time to learn how to protect your business from these scams. Businesses need to be aware in order to protect their email inboxes and sensitive company and employee information. We’ve compiled a list of common phishing email scams, how to avoid them, and what to do if your company has been targeted.
According to Xero, nearly 1 in every 5 Australian small businesses become victims of invoice fraud, costing an average of $15,500 per business. According to the ACCC’s Targeting Scams report, fraudulent invoices caused the most losses of any scam type in 2019, costing businesses $132 million.
Invoice scams can occur where a company employee falls victim to a phishing email that lets a fraudster into the company’s email system. From there, the scammer can intercept legitimate invoices, falsifying the payment details so that funds go into a new account. Another variant involves simply sending an email in the name of a supplier with a fraudulent invoice. For big companies with lots of payments, small invoices can be approved without much oversight. In both cases, the company pays into a fraudster’s account, unaware that they have been scammed until the supplier asks why payment has not been received.
What to do:
- The email requesting immediate payment.
- Threatening serious consequences if payment is not made.
- The supplier makes contact out of the blue requesting account changes.
In addition, before entering your personal or financial information into any website form, make sure it’s a trusted, verified site. Small changes in website URLs and email addresses can be easily identified and flagged for manual approval, reducing the risk of paying a false invoice.
Another type of phishing email scam is the payroll scam, which involves impersonating or compromising an employee’s email account and sending a message to their employer requesting an update to their bank account details for receiving their salary. Criminals are opportunistic and seek people who can act immediately on messages they receive, so keep an eye out for urgent requests to update payroll information. These scams can also be carried out over the phone.
What to do:
It is critical that your company validates payment requests or changes to payment details. Create a procedure that requires the receiver to carefully check the requester’s email address and call them to confirm the request using the contact information you have on file. This is especially important if payment information has changed or if a request appears unusual.
According to FBI statistics, CEO scams now account for $26 billion in losses, with a 100% increase in identified global exposed losses between May 2018 and July 2019. A CEO scam, also known as ‘CEO phishing,’ occurs when an email appears to come from a senior person in a business, such as the CEO or CFO, requesting in urgent or intimidating language to transfer funds. The cybercriminals hope that by making the email appear to be from a senior person, the recipient will act immediately without validating the request. These phishing emails could come from a compromised email account of the real executive, or from a very similar email address.
What to do:
If your company receives a CEO phishing email or a fake invoice, share it with your employees so they know what to look out for in the future. Any unusual payment requests must be clarified in person, so employees in these positions should be encouraged to think critically and contact the person directly. It only takes a few seconds and has the potential to save you and your firm thousands of dollars.
These emails contain exceptional offers, such as a reward or limited-time incentive, but often include malware-infected links or information requests that can be used to compromise the email account and commit large-scale fraud. Even if the email comes from a known sender (like HR or your manger), do not trust it, as their account might have been compromised.
What to do:
It’s best not to interact with anything in an email that seems too good to be true or comes from a source you don’t recognise. That means you can’t click links, download files, or open attachments. Always independently confirm such emails by checking-in with the sender or informing the IT team.