Record Australian BEC, scam losses highlight need for better end-user education

Australian small businesses have lost 42 percent more to business email compromise (BEC) scams in the first half of 2019 than all of 2018, according to new figures from the ACCC that peg losses to other scams at more than $2.5m for the first half of this year.

Some $5.4m was extracted from unwitting Australian victims between January and June this year, the Australian Competition and Consumer Commission (ACCC) revealed in its latest Small Business in Focus report.

The figures, which come from the organisation’s Scamwatch advisory service, are a fraction of punishing US losses but reflect the growing exposure of businesses to a threat that has become increasingly well understood as losses mounted in recent years. Recent figures suggested that BEC is becoming favoured by scammers at the expense of ransomware, with Proofpoint recently noting a marked change in attack methods.

Increasing awareness is not necessarily translating into reduced losses, however: Scamwatch this month warned that Australians were set to lose a record amount to scammers – with reported losses on track to exceed $532m by the end of this year.

That included $14.76m lost to cryptocurrency scams during the first half of the year alone, with many scammers painting a veneer of legitimacy using social-media platforms, fake celebrity endorsements, or fake online trading platforms.

Small businesses, the ACCC said, were being done by scammers targeting them with false billing scams, fake offers for website or IP renewals, and even threats to ruin a business with negative online reviews unless a Bitcoin payment was made.

These revelations, coming on the heels of this month’s National Scams Awareness Week, are a warning shot across the bow for managers that assume their staff are scam and BEC-proof.

“Many people are confident they would never fall for a scam but often it’s this sense of confidence that scammers target,” ACCC deputy chair Delia Rickard said in a statement.

“People need to update their idea of what a scam is so that we are less vulnerable. Scammers are professional businesses dedicated to ripping us off. They have call centres with convincing scripts, staff training programs, and corporate performance indicators their ‘employees’ need to meet.”

The surge in scam losses coincides with an overall explosion in threats across the cybersecurity landscape, with Fortinet recently reporting that the shift from ransomware to targeted attacks had continued to pick up speed throughout 2019.

That’s a major issue for companies that are focusing on conventional threats and may assume their employees are smart enough to avoid compromise by BEC and other scams.

Growing losses suggest otherwise – reinforcing the need for both training and vigilance.

“It’s best to assume scammers are everywhere, waiting for you to let your guard down,” Scamwatch advises.