Top 3 Cyber Crimes Impacting Small Businesses

The latest Cyber Threat Report reveals cyber criminals are still relying on these common techniques to infiltrate businesses’ IT security.

The Australian Signals Directorate's (ASD) Annual Cyber Threat Report has identified the top three cybercrimes affecting small businesses as Business Email Compromise (BEC) scams (also known as inbox break-ins), phishing, and banking burglary.

In this IT Explainer, we help to break down what these mean and how you can safeguard your business against these increasingly prolific cyber threats.

1. Business Email Compromise (BEC) Scams

BEC scams, or inbox break-ins, involve a criminal gaining access to a business email account to deceive employees or partners into making fraudulent payments or revealing sensitive information. The Australian Cyber Security Centre (ACSC) has categorised BEC scams into three types:

1. Invoice Fraud: here, a scammer impersonates a legitimate supplier or vendor to trick a business into paying a fraudulent invoice.

2. Employee Impersonation: A criminal poses as an employee, often a senior executive, to deceive a colleague into making an unauthorised payment or transferring sensitive information.

3. Company Impersonation: A cybercriminal impersonates a company's email address to deceive its clients or suppliers into making fraudulent payments.

A key warning sign of a BEC scam is the receipt of an email requesting payment to new or different bank account details. These can often come from a compromised or spoofed email address that looks legitimate.

Other red flags include:

• Uncommon email addresses: The sender's email address may have a slight variation or be from an unusual domain.

• Unusual requests: The email might contain an unexpected request from a known contact, such as a boss or supplier.

• Urgency: Scammers often create a sense of urgency to pressure the recipient into acting quickly without thinking.

• Poor quality: The email may contain typos, grammatical errors, or an unprofessional format.

To avoid falling victim to these scams, it's crucial to confirm any unusual payment requests by contacting the sender through a known, trusted method, such as a phone number you have on file, not the one provided in the suspicious email.

2. Phishing

Phishing is a cybercrime where criminals impersonate a person or organisation to trick a victim into giving up sensitive information. They often pose as a legitimate company, such as a bank or telecommunications provider, to catch victims off guard. The goal is to deceive you into providing personal details, such as a username, password, or account information. Phishers may also try to get you to click on a malicious link that installs tracking software on your computer.

While some phishing attempts may contain obvious signs like bad spelling, strange icons, and unformatted text, scammers are becoming more sophisticated and can replicate genuine-looking emails.

To protect yourself from phishing, be cautious of:

• Dodgy links: Where possible, hover your mouse over a link to see a preview of the actual URL without clicking it! If it seems suspicious, visit the website by manually typing in the website of the business into your web browser and complete a search on the website to confirm your suspicions.

• Notifications that should be secure: Be wary of requests for sensitive information that typically come through secure systems, such as bank or government notifications. If you’re not expecting communications, this can be a major indicator that something is not quite right.

• A sense of urgency: Scammers often create undue pressure to act quickly. If it doesn’t mirror previous experiences with a service provider, treat it as suspect.

The best response to phishing is to report, delete and block the account. Never click on links or open suspicious attachments. If you suspect you have accidentally provided details that may jeopardise your operations, contact your IT Security team straight away.

3. Banking Burglary

Online banking burglary occurs when cybercriminals gain unauthorised access to your business bank accounts, allowing them to transfer funds to external accounts. A single compromised password can give criminals access to multiple business systems and accounts.

One example of this is a recent text message scam where a retail shop owner in Brisbane received a fraudulent text message about suspicious activity on her business account. The scammer, posing as a bank representative, sent her a link to log into her account and then asked her to read out a verification SMS, despite the message warning not to share the code with anyone. The victim realised the scam when she was being asked to verify a transfer out of her account, not a protective measure. She was able to quickly hang up and contact her bank and have her accounts locked before the scammers behind it all could remove any funds. This case highlights the importance of recognising the signs of a scam and acting quickly.

To prevent online banking fraud, consider these tips:

• Use unique passwords: Each business bank account must have its own unique PIN, password, or passphrase.

• Create strong passwords: Use passwords that are long (aim for more than 14 characters), strong, and unique, with a mix of letters, numbers, and symbols.

• Consider passphrases: Upgrade to passphrases, which are unique sequences of four or five random, unrelated words.

• Initiate 2FA: Set up two-factor authentication as an absolute minimum. If you need help setting this up, contact your IT support team.
  

How IT Strategic can help prevent common cyber threats affecting SMEs.

Protecting your small business from these cybercrimes is critical. IT Strategic provides a range of services designed to help you build resilience and defence against these threats.

• Managed Detection and Response (MDR): The 24/7 MDR service from IT Strategic provides continuous monitoring and management to proactively detect, mitigate, and respond to threats. This can help to prevent inbox break-ins, phishing attacks, and unauthorised access to your banking accounts.

• Monitored DMARC Service: This service focuses on email security and domain protection, which is crucial for preventing BEC scams and other email-based attacks by ensuring that only legitimate emails from your domain are delivered.

• Cyber Security Awareness Training and Testing: IT Strategic offers training and testing to educate your staff on how to identify and avoid common cyber threats, such as phishing emails and other social engineering tactics. A well-trained team is your first line of defence.

• Multi-Factor Authentication (MFA): IT Strategic assists with implementing MFA across your business systems. MFA adds an extra layer of security, making it significantly harder for criminals to access your accounts even if they have stolen a password. This is a key measure in preventing banking burglary.

• IT Security and Assessment: Using frameworks such as the Essential Eight, IT Strategic can assess your current security posture, identify vulnerabilities, and create a tailored security strategy to protect your business. This holistic approach ensures all areas, from email to online banking, are secured.