The Australian Competition & Consumer Commission (ACCC) is calling on businesses to urgently review how they verify and pay accounts and invoices after seeing a 33 per cent rise in business email compromise (BEC) scam reports.
According to the ACCC’s Scamwatch, a BEC occurs when a hacker gains access to a business’ email accounts, or ‘spoofs’ a business’ email so their emails appear to come from the company.
The hacker then sends emails to customers claiming that the business’ banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of a business’ official email accounts. Payments then start to flow into the hacker’s account.
Other variations of the scam have involved hackers pretending to be the CEO of a business and sending an email internally to a business’ accounts team asking for funds to be urgently transferred to an offshore account.
Scammers have also requested salary or rental payments to be directed to a new account.
The ACCC has warned that these scams have included interceptions of house deposits, which have been sent to conveyancers, real estate agents or law firms.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC deputy chair Delia Rickard said.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business; however, the largest amount of reports and losses came from medium-sized businesses, including one that lost more than $300,000,” she added.
Businesses have reported losses to these scams totalling $2.8 million to Scamwatch in 2018; however, the ACCC has suggested this represents only a fraction of total losses to this variety of scam across Australia.
Overall, BEC scams accounted for 63 per cent of all business losses reported to Scamwatch, with the average loss sitting around $30,000.
“Effective management procedures can go a long way towards preventing scams, so all businesses should firstly be aware these scams exist and that their staff know about them, too,” Ms Rickard said.
The deputy chair recommended the following steps for preventing BEC scams:
- Checking directly with supplier if they notice a change in account details
- Checking supplier contact details and communications
- Considering a multi-person approval process for transactions over a certain dollar threshold
- Keeping IT security up-to-date with anti-virus and anti-spyware software
- Having a good firewall
The ACCC advised any businesses affected by BEC scams to contact their financial institution immediately and consider professional IT advice to ensure their email systems and data are secure from hackers.