Business email compromise scams
One of the most financially harmful scams affecting Australian businesses, including small businesses, is the ‘business email compromise’ scam. Australian businesses lost $60 million to this scam last year.
What is a business email compromise scam?
A business email compromise scam involves a scammer gaining access to a business’s email and IT system. They then impersonate that business to con you into sending funds to the scammer’s account.
The ACCC’s latest Targeting scams report tells us that scammers trawl the internet targeting chief financial officers, accountants, payroll officers and even the treasurers of small community sports clubs.
Once they have access to email and other financial details, scammers:
- impersonate the chief financial officer or some other high-ranking manager of the business and ask for funds to be transferred into an account for a variety of reasons. For example, a manager is travelling overseas and needs funds urgently due to an unforeseen emergency
- masquerade as the business in an email to another business, such as a supplier, asking for a regularly paid invoice to be paid into a new account.
The payroll areas of a business may also be targeted by scammers impersonating employees asking for upcoming pay to be paid into a different account.
It’s easy to see how you can mistake a scammer for the real deal.
Consumers can also get caught up in these scams. For example, some unsuspecting consumers paid their house deposits or legal fees to scammers instead of the agents and solicitors.
This scam isn’t just located in Australia – it’s a worldwide issue. The United States Federal Bureau of Investigation estimates global losses of US$12.5 billion to business email compromise scams between 2013 and May 2018.
How to protect yourself
Key points to consider:
- if you have staff, talk to them about this scam to make them aware of how it works and what to look for if they are targeted
- change the way you verify or pay invoices by adopting a multi-person approval process for transactions over a certain dollar amount
- keep your anti-virus and anti-spyware software up-to-date
- check directly with your supplier if you notice a change in account details (do NOT do this just by return email or using other contact details provided - find older communications to ensure you have the right contact details or otherwise independently source them).
If you’re affected by a business email compromise scam, contact your financial institution straight away. You should also consider professional IT advice to ensure your email systems and data are secure from hackers.
Report business email compromise scams to ReportCyber.
Chief Operating Officer, Deputy Secretary
5yThanks for sharing Kate. I know of a number of small (and larger) businesses impacted by this. A great reminder.
Assistant Director, Assurance Strategy and Engagement, Digital Transformation Agency
5yThanks for sharing Kate - it’s important to be aware of scams like these.