Protect Your Not-for-Profit from Business Email Compromise Fraud

General

As digital communication becomes increasingly integral to operations, not-for-profit organisations must stay vigilant against cyber threats. One of the most prevalent and damaging cybercrimes today is Business Email Compromise (BEC) fraud.

According to the Australian Cyber Security Centre (ACSC), BEC fraud is among the top cyber threats affecting Australian businesses, including not-for-profits, leading to significant financial losses.

Understanding Business Email Compromise Fraud

Business Email Compromise fraud involves the manipulation of legitimate email accounts to misdirect funds.

Cybercriminals typically intercept genuine emails or invoices from known partners, altering banking details to divert payments to fraudulent accounts. Victims usually remain unaware until the intended recipient reports the missing payment or discrepancies are discovered.

 

Types of Business Email Compromise Fraud

  1. Fake Invoice Scheme: Cybercriminals send a falsified invoice that appears legitimate.
  2. CEO/CFO Impersonation: Fraudsters impersonate high-ranking officials to request large transfers.
  3. Account Compromise: Hackers gain access to email accounts to manipulate financial transactions.
  4. Lawyer Impersonation: Fraudsters pose as legal representatives to mislead employees.
  5. Theft of Personal Information: Employee data is stolen to facilitate fraudulent activities.

 

Case Example:

In July 2021, an Australian financial firm paid over $600,000 on behalf of a client after receiving a falsified invoice. Despite reporting the incident immediately, only $140,000 was recovered. Such incidents highlight the substantial financial impact of Business Email Compromise fraud.

 

Impact of Business Email Compromise Fraud on Not-for-Profits

Business Email Compromise fraud can have devastating effects on not-for-profit organisations:

  • Financial Losses: Unrecovered funds can jeopardise operational budgets and projects.
  • Reputational Damage: Public disclosure of cyber breaches can erode trust and deter donors.
  • Operational Disruptions: Staff morale and productivity can suffer, especially if key personnel are held accountable for the breach.
  • Increased Insurance Premiums: Repeated incidents may lead to higher premiums or difficulty obtaining coverage.

 

According to the ACSC 2020-21 Annual Report, the reported losses for Business Email Compromise offences were over $98 million AUD – representing a 15% increase on the losses from previous years. According to the ACSC 2022-23 Annual Report, reported losses for Business Email Compromise offences for the most recent financial year neared $80 million AUD and, on average, the financial loss from each BEC incident was over $39,000.

Despite the best efforts of law enforcement agencies, only a small fraction of Business Email Compromise financial losses are ever recovered.

 

How to Protect Your Organisation Against Business Email Compromise Fraud

To safeguard your not-for-profit from Business Email Compromise fraud, implement robust policies and proactive measures:

  1. Verify Payment Requests:
    • Introduce approval processes for changes in payment details or large transfers.
    • Verify requests by calling the sender, even if the request seems legitimate.
  2. Employee Training:
    • Regularly train staff to identify phishing and spear phishing attempts.
    • Encourage critical thinking before responding to unusual requests.
  3. Email Security Measures:
    • Multi-Factor Authentication (MFA): Implement MFA to add an extra layer of security.
    • Domain Name Management: Renew old domain names and register similar ones to prevent criminals from impersonating your organisation.
    • Email Authentication Protocols: Set up protocols to prevent email spoofing.
  4. Privacy Protection:
    • Limit the amount of personal and organisational information shared online.
    • Regularly review and update privacy settings on social media and professional platforms.
  5. Watch for Red Flags:
    • Be cautious of emails marked as “urgent” or containing unusual requests.
    • Check for subtle changes in email addresses or bank details.

 

Other Key Terms

Phishing Practice of sending emails from a supposed known or trusted sender to induce individuals to reveal confidential information

 

Look for: Non-specific greeting: “Dear Valued Customer”
Spear phishing Highly targeted email aimed at a single individual
Email compromise This may occur by:

·       Installing a virus or malware into a specific computer system

·       Sending phishing emails to hundreds or thousands of victims with links to fake websites asking users to update their personal information and/or passwords. Offenders rely on victims using the same passwords for multiple systems. Once an offender has accused to an individual’s legitimate email, they can change permissions as well as automatically delete emails forwarded from the victim’s system.

·       Spoofing a legitimate email with a forged sender address – commonly by changing one or two words of the legitimate email. For example, a “w” might be changed to the letter “v” twice.

·       Using brute force attack in relation to emails with poor passwords.

 

Note: it is not always possible to identify how the victim’s email system has been compromised.

 

 

How We Can Assist

At The Breakthrough Office, we understand the unique challenges not-for-profit organisations face in maintaining cyber security.

Our services are tailored to help you:

  • Develop and Implement Financial Security Systems: We assist in creating comprehensive systems to manage and safeguard your financial transactions.
  • Create Strong Delegations: We help establish clear and robust delegation protocols to ensure accountability and prevent fraud.
  • Train and Develop Your Team’s Awareness: Our ongoing training is designed to keep your staff informed and prepared to handle potential financial cyber threats.

Protecting your organisation from Business Email Compromise fraud requires vigilance and proactive measures. By partnering with The Breakthrough Office, you can strengthen your cyber security posture and ensure the safety of your valuable resources.

For more information on how we can assist your Not-for-Profit, contact us here.

By taking these steps, not-for-profits can significantly reduce the risk of falling victim to BEC fraud, safeguarding their operations and maintaining the trust of their donors and stakeholders.

View Article
A Cashless Future? Australia’s Pathway to a Cashless Society by 2030
View Article
Understanding Payday Super: What Not-for-Profits Need to Know Before 1 July 2026
View Article
What to Include in Your Not-for-Profit Annual Report: Telling Your Story of Impact