Popular Events Affecting Small Businesses in Australia

Business Email Compromise

IDCARE has observed an increased prevalence of business email compromise (BEC) scams, which can occur when an unauthorised third-party gains access to a business’s email account. The motivation for BEC is generally for deceptive financial gain and data theft. Scammers often use a business’s email as a gateway to other online account(s), such as payroll/invoicing software, social media platforms or cloud-based applications (Dropbox, Google Drive).

‍

Types of business email compromise include:

Data theft: Scammers sometimes start by stealing company information, such as an employee’s schedule or personal contact details, to assist in carrying out BEC scams and to make it appear more believable.  One possible scenario is where an individual employee may have been compromised by logging into busines ssystems outside of the work environment (e.g. at home, or through unsecured public WiFi connections). In other cases, it may be that an external business the company deals with has been compromised through a data breach. In that instance, email threads sent from your business to the external organisation may be in the hands of fraudsters, allowing them to gain insight into your business practises, and the manner by which you communicate with external organisations.

Employer impersonation fraud: Scammers either spoof or obtain access to a business owner’s email account, then email employees to request they make purchases or transfer money. New or entry-level employees are frequently victims of employer impersonation scams.

False invoice scams: Scammers pose as a legitimate organisation, or vendor that a business works with, and then emails a false or amended invoice. These invoices are often targeted and closely resemble a real bill the business has previously received or contains specific information about the business to appear more credible.
As a recent example, some false invoice scams are being disguised as ‘Business name renewal’ invoices from the Australian Securities and Investments Commission (ASIC).

Account compromise: Scammers use phishing emails containing malicious links or attachments to obtain access to an employee’s email account. The scammer then sends emails to the business’s customers or suppliers containing fake invoices or messages that request payment to a fraudulent bank account.

Prevention - How can my business avoid BEC?

BEC scams have become more prevalent, which makes it important for small businesses to remain vigilant and to take precautions.

Minimise any sensitive information or credentials that are stored in your email account. This will minimise the extent of risk in the event of BEC. Consider deleting emails containing sensitive information (such as client or supplier data, payroll details) that are no longer needed, or transferring the information to a secure storage system.

Implement employee training and awareness of BEC and phishing methods. This should include how to recognise potential BEC attempts and how to confirm the authenticity of invoices and emails.

Protect your business’s privacy. Be aware of what information about your business is readily available through a simple online search. Scammers often try to use information available online to make their BEC attempts more convincing. This can include basic personal details such as full name, address, employee positions, work email addresses or other personal details. Consider whether there are people within your business that would be easy to impersonate using publicly available information.

Disallow E-mail forwards outside of the business: It is common for BEC scammers to set up email settings which auto-forward messages to an external mailbox. It is important that all employee emails are not permitted to create auto-forwarding rules to inboxes outside of the business.

For Outlook users, to confirm that no current settings exist which forward emails to external domains, log into Microsoft 365 Admin Center, select Exchange, and Mail Flow. From the Mail Flow menu, users can confirm that no unauthorised rules exist permitting e-mail forwards outside of the business’s domain.

Protections for Outlook users:

Advanced Threat Protection (ATP): You can use Office 365 Advanced Threat Protection (ATP) to protect you and your employees from malicious content when using Outlook. To access ATP for Outlook and other Office applications, you need to obtain either separate ATP licensing or to purchase a licensing level that includes ATP, such as Microsoft 365 Business.

Outlook Exchange MailTips: MailTips provides a specific setting- “MailTipsExternalRecipientsTipsEnabled” - that functions to send alerts to users as they are responding to a phishing email and warn that the email is being sent to an external domain.

Check if your email address has been in a data breach: Check the website www.haveibeenpwned.com to see if your email address has been exposed in any data breach events.

Additional Resources: A step-by-step guide to review email account security is provided by the Australian Signal Directorate here.

‍

‍

Website and social media spoofing/impersonation

Scammers are defrauding businesses and their customers by either gaining unauthorised access to a business's legitimate website or social media account or creating fake websites that impersonate the business. Businesses that have been impersonated by scammers can suffer from brand damage which can lead to the loss of trust and business from its customer base. Customers of the business may also suffer from financial loss or compromise of their personal information if they engage with the compromised account or fraudulent website.

Protecting your website and its domain

Install a web application firewall/site protection as well as IP user geo-fencing: A web application firewall can protect your site from denial of service (site forms) and offer additional site security features, such as geo-fencing.

Domain privacy protection: Explore WHOIS privacy protection. This is a service offered by most domain name registrars.

Purchase an SSL Certification for your website: An SSL certificate encrypts the data that is entered into your website.

Consider buying like-domains and ensure you keep up to date on when your domain is due to expire. Scammers may take advantage of business owners forgetting to renew their domains and buy them.

Add a captcha to your website’s client contact form: This can prevent unwanted spam attacks from clogging up your email inbox. Contact the person or organisation that built your website to explore this.

Implement Secure Email Gateway rules: These can detect emails with extensions that are similar to your business’s domain.

Cookie usage prompts for your website: Implement a modal prompt which allows users to reject or accept the deployment of cookies (most often used for session logging). The terms and conditions of cookies should also be displayed.

Monitor for fraudulent domain creation: To prevent domain spoofing, consider registering an account with an entity that provides monitoring and alerts when similar domains are registered.

In the event of business impersonation, visit the IDCARE factsheet ‘What to do when your business is impersonated’.

‍

Protecting your online presence

Routinely check your business’s online presence. This involves doing an internet search to check if there are any unrecognised social media pages, websites or business listings impersonating your business. It is also important to check your business’s legitimate platforms for any signs or unfamiliar changes that indicate compromise of your account(s).

Delete any unused or out of date platforms. Social media sites that are mostly inactive are at higher risk of being misused as compromise is less likely to be detected by the owner.

Implement multi-factor authentication and strong passwords for online platforms/accounts. It is recommended users also change their passwords regularly to minimise risk.

Utilise available privacy and security checks. For social media accounts, a number of providers in their Settings and Privacy/Security allow users to run privacy and security checks. Many platforms also allow users to track the log-in history of their social media accounts and sign out any unrecognised devices.

For more protection advice about specific online platforms, visit IDCARE’s Social Media Fact Sheets.

‍

Ransomware and Malware

Malware is a type of software that is built for the purpose of disruption to the services and operation of businesses, as well as to steal or destroy data. For small businesses, a malware infection may be used to gain access to, or control over, a computer, server, or network. Malware attacks are often spread through social engineering techniques which attempt to deceive individuals into unknowingly downloading malware.

Small businesses are unlikely to have access to advanced security tooling or have the ability to utilise a third-party security service to maintain their devices and network which can leave them particularly vulnerable to malware infection if steps are not taken to mitigate the risk.

Some specific forms of malware that affect small businesses include:

Stealer Malware: Stealers are malicious programs designed to steal passwords, banking information, or other sensitive details. Stealers ultimately aim to use or sell this information for financial gain. Cybercriminals are known to deliberately target small businesses as their defences may not be as advanced as other larger organisations.

Keyloggers: Keyloggers are malicious programs that track the keys pressed on a device’s keyboard. The goal of this malware is to collect sensitive financial information and other account login credentials. This malware can also be used to bypass MFA if the cybercriminal uses the information to sign into an account at the same time as the legitimate user.

Ransomware: Ransomware is a specific form of malware that encrypts a business's data and blocks systems access, then demands a ransom payment to decrypt the data. Increasingly, ransomware groups are also resorting to leaking data or continuing to withhold data after a ransom payment. Cybercriminals know that small businesses are more likely to pay a ransom if their critical data is not backed up.

Common tactics of criminals spreading malware:

Phishing attempts through emails, websites or other forms of electronic communication which contain malicious links or attachments.

Tech support scams where criminals pose as software technicians and urge victims to install applications or provide remote access to their device.

Malvertising: Online advertising containing malware, which can redirect victims to harmful websites or even install malware on the device itself. These ads often present themselves on legitimate online advertising networks and websites.

Inserting malicious software into a trusted application, or even as an antivirus product.

Pirated Software: Downloading and installing pirated software is a common way for malware infection to occur.

Unpatched Software: Software that has not been kept updated may contain vulnerabilities that can expose your device to exploits and malware infection.

‍

Prevention

1. Keep your software updated and delete any software you don’t use

‍Cybercriminals exploit outdated software systems as they sometimes contain critical vulnerabilities.

So, it is important to:

Enable controls which ensure that security updates are automatically applied when they are available.

Remove software programs that you do not use.

2. Secure your data management system

Implementing the encryption of your business’s critical information assets.

Set-up and perform regular backups of your sensitive information (employee and customer information, payroll details, contract management files etc.) to an external storage device. This can be critical for safeguarding your business’s information assets in the event of a ransomware attack.

3. Run anti-virus software on your device:

For Windows 10 and 11 users:

Enable Windows Defender and automatic windows updates to ensure the most recent updates are downloaded and applied to your system.

Check the level of security as outlined in the Windows Security Centre on your machine – check that the following points are enabled, and no further actions are needed:

Virus and Threat Protection;

Firewall and Network Protection;

App and Browser Control; and

Account Protection.

‍

4. Never open suspicious links in emails, websites or pop-up notifications

For Office 365 users, the Advanced Threat Protection (ATP) Safe Links expands phishing protection across all Office 365 applications (e.g. Outlook, Excel, OneNote) and provides time-of-click verification of URL’s. However, this functionality requires separate ATP licensing, or to purchase a licensing level that includes ATP.

5. Protect your network security: Most of these recommendations can be completed by logging into your router. If you do not have the technical knowledge to complete some of these tasks, you can engage your internet provider (e.g. Telstra, Optus) for assistance.

Check that your wireless network encryption is set to WPA2 or WPA3. This is a simple setting on your router which may already be enabled, however it is imperative that you confirm this is the case.

Change your router or modem password from its default settings. Generally: Admin / Password is used by most retailers; you should change this to be more secure.

Check that the Wi-Fi router inbuilt firewall is enabled.

Hide your network SSID and change the default network name. This will stop the name of your network from being broadcast publicly.

Check and remediate Wi-Fi router update requirements and configure auto update, if available. This may be a manual process which involves updating the firmware of your router. You may need to check the retailer's website (depending on the router used) for the latest available updates.

Enable MAC whitelisting on your router. A MAC address is the identifier linked to a specific device (your phone, pc and tablet will have individual MAC addresses).

By ‘whitelisting’ the MAC addresses of your devices, you are preventing anyone with a MAC address NOT whitelisted from accessing your home or business networks.

Disable remote administration on Wi-Fi router. This will not permit an outside party from monitoring or altering the settings of your network.

6. Limit access controls for employees:

Application management controls:

Employers can limit what applications are available to employees and require permission-based installation of alternative applications. This can reduce the exposure your business has to malicious downloads by not allowing any unauthorised programs, including malware, to execute, unless there has been specific allowances made for it. There are software tools available to assist in application control and there are built in measures to most systems that will limit the ability for a user to be able to install applications. For more information please see the Australian Signals Directorate’s (ASD) information on Implementing Application Control.

Limiting access to sensitive information to fewer employees with privileged access accounts. This minimises the risk of compromising the business’s data if an employee is deceived by a phishing email with malware.

‍

Stay Vigilant and Informed

To stay abreast of the latest scams and cybercrimes impacting our community, you can subscribe to our free online newsletter.

To gain some insight as to your business's resilience to cybercrime, complete IDCARE’s Small Business Cyber Health Check. CyberWardens also offers a Health Check here.

For general advice and resources on how to protect your business, visit CyberWardens and cyber.gov.au.

‍