What is a data breach?
A data breach is generally defined as an incident involving ‘unauthorised access to sensitive, protected or confidential data resulting in the compromise of either confidentiality, integrity or availability of an information asset’.1 Data breaches pose serious risks to businesses and the individuals to whom the information relates.
One specific type of data breach is a ‘business email compromise’ (BEC), where a cybercriminal impersonates a business contact to trick employees or suppliers of a business to transfer money or to provide sensitive information. Often BEC scammers use domain names or emails almost identical to those of the contact they are impersonating, and because they don't use malicious attachments, their emails often get past anti-virus software. Most BEC scams take one of these four forms:2
- Executive fraud: A cybercriminal masquerades as an executive and sends an email to staff requesting they transfer funds to the scammer's account.
- Legal impersonation: A cybercriminal requests payment for an urgent and sensitive legal matter.
- Invoice fraud: A cybercriminal sends a fake invoice to the business, impersonating a trusted supplier. In many cases, cybercriminals have accessed the supplier's real email account and have made changes to the bank account details in otherwise legitimate invoices.
- Data theft: This scam involves impersonating a trusted person to request sensitive information. The information obtained is sometimes used in a larger, more complex scam.
This article provides details on what you can do to minimise harm to your business in the event of a data breach, including a BEC. Please note that this article is general in nature and nothing in this article should be taken as legal advice.