Business email compromise

Business email accounts are important to day-to-day operations. They usually hold a lot of information about billing cycles and bank accounts, and often have large contact lists. This information is valuable to your business and it’s also attractive to scammers. If they get access to your business email, they can use it to send emails pretending to be from your business to try and trick your contacts into sharing personal and financial information, or paying bills to their bank account instead of yours.

Business email compromise can affect small companies through to large organisations, and result in loss of finances and private information. It can also cause reputational risk.

The most common way business email compromise occurs is when a scammer gets access to an employee’s email password. They can access passwords in a number of ways including:

guessing or code cracking weak passwords
finding passwords in credential dumps
collecting account login information through phishing campaigns.

What can happen

Once the scammer has access to the email account, they can use it for a range of attacks or scams including:

sending fake invoices pretending to be from the business
intercepting legitimate invoices and changing the payment details to redirect payments to their bank account
sending phishing emails
sending malware.

How to prevent it

There are some simple measures you and your staff can put in place to strengthen your business email security.

Add an extra layer of security to your accounts with two-factor authentication (2FA).
Use strong, long and unique passwords on all your accounts. Encourage staff to use a password manager to help them remember all their passwords.
Don’t give out personal information online, whether on social media or by email.
Verify payments with an SMS or call to the person or business who sent you the invoice.

Protect accounts with 2FA

Keep data safe with a password manager

What to look for

Ask your IT provider to monitor your business email and check:

auto-forwarding rules on email accounts, especially those relating to accounts receivable
auto-filtering rules on email accounts to see if there are any rules that you did not set up
email access logs to look for any unusual login behaviour like a change in log in times and unexpected or foreign IP addresses.

If you experience business email compromise

If you discover that an email account within your business has been compromised, there are some steps you can take to help reduce the impact

Make sure you change the passwords on all affected email accounts immediately to prevent the scammer from accessing the account and sending any further emails.
Set up 2FA.
Tell your IT provider.
Ask your IT provider to check your system for any installed malware.

Report to CERT NZ

Case study: Business compromise leads to advisory

An IT provider noticed that one of its clients was receiving emails pretending to be a recognised supplier.

The emails contained fake invoices and were attempting to trick the client into paying the invoiced amount into the attacker’s account.

The affected business investigated and discovered that the emails and fake invoices had been sent to people within the business and to some of its external customers.

The emails seemed legitimate. For example, they included knowledge of recent goods requests and costs. However, there were small differences in the email addresses which staff picked up on before any payments were made.

The business discovered that an employee’s email account had a simple password, making it easy for the attackers to gain access and forward emails containing words like 'account', 'invoice' and 'pay' to an external address belonging to the attacker. These emails allowed the attackers to gather information about the business’s billing cycles and behaviours, helping the attackers to create invoices that looked legitimate.

The compromise went unnoticed for at least six months as the attacker was deleting the forwarded emails from the employee’s account.

CERT NZ analysed the detail from this report and others, and published an advisory about:

the extent and nature of invoice scams
how to protect against them, and
what to do if you’ve received a fake invoices.

Advisory: Invoice scams affecting New Zealand businesses

CERT NZ recommends these simple steps to protect your business:

Strengthen your email account security – by keeping your software and systems up-to-date and using strong, unique passwords for each account.
Secure your network – especially when using systems that can be accessed remotely (including remote desktop protocol (RDP). Use strong, unique passwords and enable two-factor authentication (2FA) where you can.
Review your business processes – ensure that your processes don’t rely solely on email. Verify payments to new or different accounts by phone before making the transaction. This can help prevent losses.
Protect against email spoofing – this is when attackers send you emails pretending to be from legitimate businesses. Protect against this with solutions such as DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC).

CERT NZ’s top 11 cyber security tips for business

Here's what you need to know to help secure your business email.

Download A4 [PDF, 35 KB]

Read CERT NZ's 2022 Report summary, out now

Read CERT NZ's latest Quarter Four Cyber Security Insights Report out now