In a recent article, Holman Webb highlighted the importance of the Essential Eight mitigation strategies recommended by the Australian Cyber Security Centre (ACSC) which, if implemented, minimises the chance of an organisation falling victim to a cyber-attack.
With this in mind, we thought it timely to remind readers of the importance of staff training and cyber-security vigilance.
It is crucial for organisations to provide effective employee training in order for staff to be able to identify these types of scams. Specific training is crucial within this particular context, as unlike some others, BEC scams are not reliant on a technical loophole or software breach - but rather, on your staff accepting the validity of a fraudulent email.
These types of scams arise when a cyber-criminal impersonates a supplier. The criminal sends an email to a customer of that supplier (which for all intents and purposes looks like a legitimate email from the supplier) advising the customer that the business has changed banking details, and subsequently asking the customer to pay future funds into a new bank account.
If your staff receive such a request, no matter how normal it looks, it is important that they know to never accept change to account details issued via email. In these situations, direct contact should be made with the supplier via phone.
Crucially, you should NOT contact the supplier using the telephone number that appears on the invoice or email you have just received - as the number may be fraudulent, and you will merely be directed to the scammer, who will confirm the accuracy of the new account details, as part of the scam.
Holman Webb has also assisted clients in situations where a simple reminder has been sent out to customers (by the cyber-criminal) which looks like a standard reminder, but which contains a small change to the account details referred to in the reminder. Again, organisations should provide training to staff in order for them to both recognise where account variations have occurred, and know to hold off on transferring any funds until oral confirmation is received from the supplier - ensuring that the employee is using the correct account.
Over the past twelve months, Holman Webb has assisted numerous clients who have (or who have nearly) fallen victim to such email scams: the unfortunate reality is that they are becoming very common.
Legally, you may consider inserting new provisions in your terms and conditions confirming that you will never provide notification of a change to your account details via email - and that if any customer receives notification of such a change, they should contact your organisation directly to seek confirmation before making any payment in accordance with that variation. You could also include a similar statement on the base of your invoices.
As an example, Holman Webb includes a statement at the end of every email issued advising people to contact us by telephone if they receive any request in relation to deposits or transfers of money. This statement warns recipients not to action the request until we have confirmed the authenticity of the email.
The inclusion of these provisions may assist in future negotiations where the customer alleges that they have paid the bill; the supplier obviously hasn't been paid and a dispute arises in relation to the legal rights of the parties. Both, arguably, are innocent parties who have been defrauded - but who wears the loss?
If you have a query relating to any of the information in this article, or for assistance in respect of any of the above - please don't hesitate to contact Tal Williams, Partner within Holman Webb's Technology Law, and Business, Corporate and Commercial Groups.