Criminals can use the summertime to target businesses, so it’s a good idea to be extra vigilant at this time of year.

The security group CSIS has warned that the summer months are ‘high season’ for business email compromise (BEC) attacks, and businesses with multiple staff members on holiday are especially susceptible.

Small and medium-sized enterprises (SMEs) using software packages such as Microsoft Office365, without multifactor authentication controls, are particularly vulnerable to this type of attack, says our fraud awareness specialist, John Allcock.

“Threat actors typically launch phishing campaigns impersonating online office suites, which contain links directing recipients to fake user login pages, where credentials are harvested,” he says. 

“They can then use access to business email accounts to impersonate staff, and request that payments are made to bank accounts which they control.”

Impersonation scams involve criminals impersonating senior members of staff and asking employees to make bogus payments to bank accounts they control.

These scams are widespread and it’s important that businesses educate their staff to impersonation threats. You can read more about impersonation scams here.

1. Ensure that multi-factor authentication is activated when using online office suites
2. Establish a two or three-layer approval process for money transfers 
3. Create awareness about BEC fraud, with special focus on departments such as accounting, procurement and payroll 
4. Consider what contact and employee information is shared on your website or social media channels
5. Employ an effective spam, web and DNS filter 
6. Be careful with auto-response emails and don’t share non-critical information about holidays, including location and duration, on social media 
7. If in doubt about an email you receive, call the sender and confirm by phone 

Criminals are also combining different fraud attacks to create a sophisticated new scam targeting businesses.

The criminal sends an invoice request to a target, who is often working in the finance team of the victim organisation, but crucially the fraudster copies in the target’s boss in the email, using a bogus email domain resembling the boss’s real one.

The fraudster, pretending to be the target’s boss, then replies to the email and insists that the invoice is paid immediately.

Thinking they are receiving a direct instruction from their boss, the target pays the fraudulent invoice, unwittingly sending money to an account controlled by the fraudster.

“It’s very easy to be caught out by this type of scam, so it’s a good idea to remind staff to always double-check all email addresses are genuine,” says John. “If in doubt, staff should confirm their boss’s instructions in a phone call.”

Every single person in your business can help prevent fraud and keep your business safe. Anyone can be a target at any time of the year, so it’s vital to educate all employees, not just those who manage finances. 

You can learn more about the threat of BEC and how you can protect your business against the threat of fraud by visiting our fraud awareness hub.