Stopping Business Email Compromise

Many small businesses are suffering at the hands of hackers, most of it via intercepting email-based invoices and changing the account payment details to those of a bank account under the control of the hacker. As shown in a recent case, $51,000 was stolen by a scammer by altering the bank account details of an invoice in flight.

Usually by the time the parties involved work out what has gone on the money has been transferred into other accounts and ultimately out of the country. This tells us three things: the hacker is outside of the country, they have multiple accounts within Australia and are able to freely transfer large amounts of money between those accounts in a very timely manner indeed.

How to stop the scam, dead!

First off, there needs to be some education given to those handling invoices, if the payment details have changed since last time you paid the recipient, contact them directly either via face to face or via phone (and not via an email, it could be the scammer responding) to confirm the change prior to payment. This single action alone will make the scam fail.

Secondly, if you are the party raising the invoice and its for a significant sum, in addition, send the payment details via another communication route – say have it on the bottom of your business card. This way it guarantees the payer has something to confirm with.

Thirdly, we need to stop sending such sensitive information purely via email. A common technique used to ‘raise the bar’ against such attacks is to have the invoice actually be hosted within the invoice management software online and the email just contains a link to that invoice with no attachments. It does not completely reduce the risk (the hacker could download the invoice and change it, then attach it and remove the link, if they have access to the payee’s email account) but it significantly raises the bar for the scammer and forces them to interact with more systems not under their control. Plus, if the invoice management software provider is on their game, they will be blocking the scammer’s access. In short, do not roll your own invoices and attach them to emails you send – use online services like MYOB and Zero.

What role do the banks have in this?

The banks are partly responsible for creating a banking environment in which it is possible for scammers to use newly ‘minted’ accounts to quickly transfer monies between accounts and then out of the country.

Here are some suggestions for how to deal with this:

  • Accounts that are less than 3 months old must on inward payments over $20,000 (from none recipient controlled accounts) place a ‘hold lock’ on the monies for 5 days, so it cannot be immediately transferred out to another account or withdrawn. This lock can only be removed by an in-person visit to the bank with a suitable 100 point ID check. A follow-up repeat payment from the same payer will not incur the same lock (such as a paycheck).
  • Banks agree on a mechanism to signal to each other if a bank account is less than 3 months or less than 6 months old – this can then be shown in the online fund transfer page to indicate to a payer that the recipient bank account is brand new and flag a possible fraud risk.
  • On the online transfer form, for monies over $5,000 add additional text to the confirmation screen repeating the new recipient bank account warning if appropriate (the account itself is new, or its a new payee), with a link or popup describing how to verify the recipient details.

If the above is done, a scammer will be forced to use longer-lived accounts (increasing the risk of discovery) whilst the actual technique itself will become less profitable. Doing the above will also have the benefit of reducing simple errors resulting in misplaced payments.

Also, banks themselves need to up their game on detecting such fraud and collaborate together to gain intelligence, for instance, the bank account age could be used to help detect fraud.

If you thought this article was helpful please like or share it. Thank you