Business email compromise scams. Four words that describe $13m of losses over approximately 981 cases in Australia between 1st January and 30th September 2023 according to the ACCC.
It’s a significant, and growing, problem for dealerships and customers, as two recent high-profile cases illustrate (see: https://bit.ly/3wOrp0M and https://bit.ly/3wLFgoB).
The scam is relatively straightforward. A threat actor intercepts emails between a dealership and a customer that contain invoices. The invoices are doctored with alternative bank account details and the customer settles to the wrong account.
The issue may only be discovered once the payment discrepancy is followed up, meaning multiple payments could have been made in that time.
How are the emails intercepted? Unfortunately, there are several ways and fault is not necessarily easy to attribute, nor does it have to result from a traditional data “hack”, it can be a simple lack of following secure procedures at either end.
No matter where the fault lies, the pain is always shared, either financially or emotionally, between both parties. Whilst there may be a sigh of relief if it wasn’t your system at fault you still have an angry and frustrated customer to deal with and the high potential for negative publicity (as the two articles above prove).
So, it’s in both party’s interest to invest in up-to-date systems and processes that reduce the risk of this type of issue.
Here are some first steps to consider:
- Training and Awareness – making your team aware of these types of attacks and some basic procedures and practices that can prevent them will keep vigilance high and provide a first line of defence. (see: https://bit.ly/3ToXRA1)
- Payment Security Process – Set up payment security processes with your finance team. Can bank account details be sent by encrypted transfer or confirmed by SMS? Can an initial micropayment be requested and confirmed by phone on receipt? Simple process improvements could provide a safety net with little extra investment.
- Enable multi-factor authentication on email accounts (see: https://bit.ly/3V9jqWe).
- Block automatic outbound email forwarding rules it may be that your email software allows you to block this practice at a company level and prevent your emails from being forwarded to the threat actors directly.
- Establish security credentials. What software and systems is your business using to hold and transfer valuable data? What is your level of knowledge or trust in those systems? Older systems can be built on compromised technology; investigate and consider an upgrade if you’re in any doubt.
As we mentioned in our previous article on cyber security (here: https://bit.ly/3T4nGUA), there is no failsafe means of protecting your business from potential threats. However, the steps above go some way to making any compromise significantly more difficult.
Ultimately, retailers want to be protected without excessive costs or friction, and buyers want to feel secure without being overburdened by process.
Hopefully, some of these simple protections can be put in place and viewed by both parties as an improvement in the overall customer experience.
Regards
Shane
Published:
January 28, 2025
Updated:
January 28, 2025
