Create a free account, or log in

Cyber criminals are exploiting out-of-office emails to scam small businesses

Something as simple as including holiday details in your out-of-office email could give cyber criminals an edge over your business, SME experts warn, as the methods used by digital crooks become increasingly advanced.
David Adams
David Adams
cyber-attack-cyber-security equifax hackers latitude
Source: Unsplash/Jefferson Santos.

Something as simple as including holiday details in your out-of-office email could give cyber criminals an edge over your business, SME experts warn, as the methods used by digital crooks become increasingly advanced.

On Wednesday, small business representatives and staff from both Telstra and Commonwealth Bank convened at the 2023 SmallBiz Week conference in Melbourne to discuss the mounting cyber threats facing independent businesses across Australia.

While data breaches afflicting companies like Latitude, Optus, and Medibank have stolen headlines, the panel noted that small businesses are no less susceptible to cyber crime.

The value of those individual attacks may be smaller than those orchestrated against major companies, but the consequences of successful cyber attacks on small businesses are no less profound, said Tim Smith, national membership manager for the Family Business Association.

“Could your business afford to lose, ten, twenty, thirty thousand dollars?” Smith said, noting that for some small businesses, a financial blow caused by a cyber attack could be enough to “shut the doors” for good.

Alarmingly, Smith said cybercriminals are using increasingly sophisticated means to fool business owners and staff, funneling significant sums into fraudulent bank accounts.

Smith said he was aware of a business whose CEO took leave and used their out-of-office email to inform others of their holiday to Italy.

A cyber criminal became aware of that out-of-office email, and social media posts depicting the CEO enjoying their time in Europe.

They impersonated the CEO, and told a staff member their bank account had been locked because of their travel abroad.

The cyber criminal told the worker to transfer money to a separate bank account belonging to the ‘CEO’.

The ruse was successful, Smith said.

In Italy, the real CEO woke up to discover funds missing from the company accounts, with no apparent explanation.

Simple steps can save massive losses, experts say

As cyber criminals become more brazen, the federal government has committed $23.4 million to the Cyber Wardens initiative, a collaboration between the Council of Small Business Organisations, Telstra, and Commbank, designed to educate and upskill small business stakeholders with cyber security know-how.

Before that funding comes into full force, Cyber Wardens’ representatives are advocating simple, practical measures to ward off cyber attacks.

Tegan Gilchrist, director of 89 Degrees East and leader of the Cyber Wardens program rollout, said the ‘Italy’ incident is emblematic of the way cyber criminals are targeting small businesses.

Criminals are not just exploiting traditional ‘hacks’, technical breaches, and scattergun login attempts, but are targeting vulnerable business personnel and convincing them to hand over funds and sensitive data.

However, the fact cyber criminals are exploiting individuals means those same workers can learn how to spot fraudulent offers and other scam attempts.

“You don’t have to be Mark Zuckerberg to defend your business,” she said.

Simple steps to boost small business cyber security include:

Using unique passwords

Ensuring each separate digital account and business software system uses a different password can stop a cyber criminal from turning one breach into a catastrophic attack.

Double-checking payment details

Business email compromise scams occur when cyber criminals send doctored invoices from a legitimate email account, causing suppliers to send payments to the wrong bank account.

Beyond adopting e-invoicing, the simplest way to avoid this scam is to pay attention to the BSB and account numbers and contact a supplier directly through a trusted phone number if the details appear suspicious.

“It’s not fun to introduce that level of friction, but it definitely might save your bacon,” said Darren Pauli, senior project specialist at Telstra.

Multi-factor authentication

Enabling multi-factor authentication means anyone accessing a sensitive platform or account will need to log in on not one approved device, but two, limiting the ability for cyber criminals to meddle in business affairs.

Updating software

As software developers improve their platforms, security updates roll out to end users. Keeping your programs up to date will make it harder for cyber criminals to rely on old software vulnerabilities.

Enabling auto-update features is a simple way to stay up-to-date.

Keeping data backups

A data breach can grind business to a halt, but the cost of ‘returning to normal’ may actually be greater than the cost of lost trade.

Making sure your business has vital information securely backed up can help you get back up to speed in case of a data breach.

“If your business can restore the data when you need to, you can keep the lights on,” Pauli said.

Limiting responsibility for payments

Small businesses can consider limiting who in the business has access to payment information, said Matthew Addison, chair of the Council of Small Business Organisations Australia.

Doing so could limit personal vulnerability to debilitating scams.

“We need to be practical: below $500, perhaps anyone can do it,” he said.

“But if it’s above $5000, maybe that needs to be authenticated.”

Sharing information about scam attempts

Amy Morgan, executive manager of small business banking at Commonwealth Bank, urged SMEs to alert their financial institution of scam attempts, even if they are unsuccessful.

“I think we need to do a lot of work around demystifying and sharing,” she said.

“Knowledge is power. If [you] get scammed, I want to know about it. Share around that number, that email.”

Small businesses can also report scam attempts to the Australian Competition and Consumer Commission’s ScamWatch.