Business email compromise (BEC) is a form of targeted phishing, or spear phishing. Criminals target organisations and try to scam them out of money or goods. They also target employees and try and trick them into revealing important business information.   

Business email compromise (BEC) is a form of targeted phishing, or spear phishing. Criminals target organisations and try to scam them out of money or goods. They also target employees and try and trick them into revealing important business information.   

Criminals use emails to pretend to be business representatives. They also use the compromised email accounts of employees.

Maybe a friend, colleague, or service provider has received a suspicious email from ‘you’, but you didn’t send it. The email may request payment for an invoice or ask to change bank account details.

Alternatively, maybe you noticed you are receiving unusual emails in your own email account. They may be about suspicious login activity or unexpected password resets. You might have also noticed emails have been deleted or moved to different folders.

These could be indicators of BEC.

A data breach occurs when sensitive or personal information is accessed, disclosed or exposed to unauthorised people. This may be by accident, or the result of a security breach. For example, when an email with personal information is sent to the wrong person, or a computer system is hacked and personal information is stolen.

Organisations collect and store many personal details. You trust them with details such as your address, phone number, identification documents, credit card number, health records and more.

If your information is involved in a data breach, the potential consequences can be far reaching. Depending on the information involved, a data breach may lead to the compromise of your online accounts, including banking. The information could also be used in targeted scams and to steal your identity.

The Notifiable Data Breaches scheme

In Australia, the Notifiable Data Breaches scheme means many organisations must tell you if your personal data has been involved in a data breach and this has put you at risk of serious harm. This could include serious physical, psychological, emotional, financial or reputational harm.

When an organisation notifies you about a data breach, they must also provide recommendations for how you can protect yourself.

The scheme applies to Australian government agencies, businesses and not-for-profit organisations with an annual turnover of more than $3 million, credit reporting bodies and health service providers, among others.

Read more about the Notifiable Data Breaches scheme

Can I prevent a data breach?

There is always a risk of a data breach, as the information you provide to organisations is stored on many different systems. There are actions you can take to minimise the likelihood and impact that a data breach can have on you.

Prepare for the likelihood of a data breach

• Minimise the amount of personal information shared with an organisation. Only tell organisations the information that they need to provide services, rather than everything they ask for. For example, if asked for a home address consider if the organisation really requires this information, especially if it is not mandatory.

• Look for organisations that have a commitment to cyber security. Think twice about organisations with a poor cyber security reputation.

Minimise the impact of a data breach

• Avoid re-using passwords. A data breach may occur and compromise your password. If you have reused this password across other online accounts, they also may be at risk. By using a unique password across each of your online accounts, in the event one of your passwords is compromised in a data breach, this password can’t be used to access your other accounts. Use a strong password, such as a passphrase. Consider also using a password manager to create and manage different passwords. For more information, see our advice on passphrases.

• Use multi-factor authentication (MFA) across your accounts. In the case a data breach compromises your password, it cannot be used to access your other accounts. For more information, see our advice on MFA.

• Back up important information. A data breach could also result in a loss of access to data and information held by the affected organisation. For more information, see our advice on backups.

What is hacking?

Hacking refers to unauthorised access of a system or network, often to exploit a system’s data or manipulate its normal behaviour.

How it works 

Hackers have to find a way to break into a network or account, just like a thief needs to find a way to break into a home. Often finding out a password is the first step in cracking a network’s security.

Once in, a hacker can modify how a network works, steal data, obtain passwords, get credit card information, watch what you are doing or install malicious software (malware) to further the attack.

While hacking is often highly targeted, some hacking tools such as ransomware or phishing malware can spread on their own via links and attachments. Malware can compromise your system or accounts without someone specifically targeting you.

How to protect yourself from hacking

• Always install updates for applications and operating systems when they are available. The longer you delay, the longer you are vulnerable to hackers or malware.

• Use strong, unique passwords. The Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC) has published advice on using password managers and creating unique passphrases, a strong type of password.

• Always use multi-factor authentication, where possible.

• Always backup your data so if your system is compromised, you won’t necessarily lose everything.

• Always practice secure online browsing behaviour and be on the lookout for suspicious links or email attachments.

For more information, access our guides on Personal Cyber Security:

• Personal Cyber Security: First Steps Guide

• Personal Cyber Security: Next Steps Guide

• Personal Cyber Security: Advanced Steps Guide

What is identity theft?

Identity theft is when a cybercriminal gains access to your personal information to steal money or gain other benefits. They can create fake identity documents in your name, get loans and benefits or apply for real identity documents in your name, but with another person's photograph.

The financial and emotional consequences can be devastating for victims. Once your identity has been stolen it can be difficult to recover and you may have problems for years to come.

What type of information do cybercriminals steal?

A cybercriminal may look to steal a range of personal information including your:

• name

• date of birth

• driver’s licence number

• address

• mother’s maiden name

• place of birth

• credit card details

• tax file number

• Medicare card details

• passport information

• personal identification number (pin)

• online account username and login details.

How do you know if your identity has been stolen?

Look out for these common warning signs:

• Your bank statements show purchases or withdrawals you have not made.

• You stop receiving mail you may be expecting (e.g. electricity bills) or receive no mail.

• You receive bills or receipts for things you haven’t purchased or statements for loans or credit cards you haven’t applied for.

• A government agency may inform you that you are receiving a government benefit that you never applied for.

• You have been refused credit because of a poor credit history due to debts you have not incurred.

• You may be contacted by debt collectors.

How to protect yourself and your family

Cyber criminals can learn a lot about you from your social media accounts. Here are some tips to protect yourself and your family:

• Limit what you share online. Reconsider sharing information on social media like your birthday, photos of a new house that include your address, or photos that identify your children’s school, or details of schools you attended. These details are often used for security questions on financial and other important accounts.

• Set your social media privacy settings to 'private'. Ensure you’re only sharing your photos and posts with people you know and trust.

• Don’t accept 'friend' requests from strangers.

• Cybercriminals try to trick you into giving away your personal information. They often impersonate well-known organisations to ask you to confirm your personal details via messages or websites. Because of this, many companies now state they will not ask you to update or confirm your details, like passwords, PINs, credit card information or account details via links in messages.

• If there really is a need to update your details, you should do so by typing the organisation's official website address manually into your internet browser and not use links from messages.

• Think twice before entering your personal details into a website you’re not familiar with. See our advice about shopping online securely and browsing the web securely for questions to ask to help determine if a website is genuine.

Cybercriminals crack weak passwords – there’s even software that guesses billions of passwords per second!

• Use strong, unique passwords or passphrases for each online account.

Cybercriminals use bugs in software to gain access to devices.

• Keep your devices updated with the latest software, including antivirus software. Installing software updates will give you the latest security. You can even set updates to install automatically.

Other tips for protecting your online identity:

• Think twice about what you access over public or untrusted Wi-Fi. We have published a list of tips to follow when using public Wi-Fi, for example using a VPN.

• Regularly check your account statements including credit cards, bank statements, telephone and internet bills for possible fraudulent activity.

• Check your credit report at least once a year to help you catch any unauthorised activity.

• Always lock your mailbox and shred any sensitive documentation you no longer need.

• Be wary of phone calls that ask for your personal information.

• Be wary of people trying to view your PIN while you are using ATMs and making other purchases.

Malware

Ransomware

Scams

System and network attacks

Report and recover from system and network attacks

Preparing for and Responding to Denial-of-Service Attacks

Malicious insiders

Data Spill Management Guide

Malware

For a small business, even a minor cyber security incident can have devastating impacts.

This guide includes basic security measures to help protect your business against common cyber security threats. As a starting point, we recommend the following three measures:

• Turn on multi-factor authentication

• Update your software

• Back up your information

This guide might include measures that are not relevant to your business, or your business may have more complex needs. After completing this guide, we recommend small businesses implement Maturity Level One of the Essential Eight.

If you have questions about this advice or cyber security more broadly, we recommend you speak to an IT professional or a trusted advisor.

Threats to small businesses

Email Attacks

Malicious Software

Secure your accounts

Use strong passwords an phrases

Managing Shared Accounts

Implementing Access Control

Prepare your staff

Make an Emergency Plan

Stay Informed

Protect your devices and information

Backup your information

Use security Software

Secure your network and external devices

Harden your website

Reset your devices before selling them or disposing of them

Keep your devices locked an physically secure at all times