According to the ACCC’s recent Targeting Scams report, payment redirection scams were the most financially damaging scams for Australian businesses in 2020. Combined losses reported to Scamwatch, other government agencies, banks and payment platforms totalled $128 million in 2020.
“Small and micro businesses made most of the reports to Scamwatch and experienced an increase in losses in 2020, although larger businesses reported the highest losses,” says ACCC Deputy Chair Mick Keogh. Based on Scamwatch data alone, false billing scams were the most commonly reported scam by businesses and accounted for three quarters of total losses to businesses. Small and micro businesses accounted for almost 60 per cent of these false billing reports.
The most common type? Payment redirection scams, also known as business email compromise (BEC) scams, with 1,300 reports and $14 million in losses. This is a substantial increase from the 900 reports and $5 million in losses reported in 2019.
And they are on the rise thanks to the pandemic. “One thing we know about scammers is that they will take advantage of a crisis,” says Keogh. “It is so important for businesses to stay informed about scams so they can protect themselves.”
According to ACCC’s Scamwatch, Australian businesses reported over $14 million in losses to Scamwatch due to payment redirection scams last year, and average losses from Jan – March 2021 were more than five times higher compared to average losses in the same period last year. With many businesses going online during the pandemic, cybercriminals are taking advantage of this, which is why we are seeing more BEC attacks, especially via email.
WHY ARE SMALL BUSINESSES SO SUSCEPTIBLE?
Revolut Australia CEO Matt Baxby says “When you’re running a small business or are a sole trader, your details are usually readily available so existing and prospective customers can get in touch with you. But that also means your details are easily accessed by scammers. And it’s not likely that you’ll have a dedicated IT security expert or team to help protect your business from these scams if you’re running a small business. It’s for these reasons that fraudsters typically target SMEs with these scams.”
In fact, small businesses and sole traders accounted for almost 60% of payment redirection reports made to the ACCC’s Scamwatch last year.
HOW DO PAYMENT REDIRECTION SCAMS WORK?
An ACCC spokesperson says “Payment redirection scams (also known as business email compromise scams) involve scammers impersonating a business or its employees via email, and requesting money, which usually is owed to the legitimate business, be sent to a fraudulent account.
In some instances, scammers hack into a legitimate email account and pose as the business by intercepting legitimate invoices and amending the bank details before releasing emails to the intended recipients. Other times, payment redirection is done by spoofing, when scammers impersonate CEOs or other senior managers using a registered email address that is very similar to that of the genuine email address. The scammer will then request that staff transfer funds to them or make a payment to a third party on behalf of the business.”
Stephen Kho, cyber security expert at Avast, says “In payment redirection scams, also known as Business Email Compromise (BEC) scams, scammers usually impersonate a business or its employees primarily via email, but it can be carried out using SMS messages, voicemail messages, and even phone calls, and they involve requesting an upcoming payment to be redirected to a fraudulent account. BEC attacks are fast-growing cybersecurity threats that all businesses, especially small and medium-sized ones, face.”
WHAT DO THEY LOOK LIKE?
Kho says most communications are crafted to look as if they come from a trusted person or source. “Through a sophisticated looking email from a trusted source. Attackers try to convince intended victims to keep these attacks secret in order to increase their chance of success and they prey on employees’ reluctance to question those in authority. Make it clear that employees can and should raise questions in situations like this.”
Some examples are:
- An employee gets an urgent message from the CEO or other high-level executive saying that they need the employee to pay a past due invoice or get gift cards for an urgent company event right away. These can be email or text messages, but attackers have even used deep fake technology to imitate voice mail messages and calls.
- Attackers use fake and compromised email accounts to convince an employee that they’re dealing with a legitimate vendor. The attackers may exchange several emails with the intended victim to convince her or him that they’re a real vendor, and then send them a fake invoice.
- Attackers impersonate employees and try to get the company payroll staff to change the employee’s direct deposit information to their own bank account. These attacks are more subtle and take more time but can be very effective.”
Baxby say they’ll use spoof emails that look so similar to real ones that people easily miss the differences. “They typically use fake email addresses that look genuine (e.g. email@example.com versus firstname.lastname@example.org) or compromise legitimate email accounts to amend bank details on invoices before releasing the emails to customers.”
WHY DO THEY DO IT?
Universally, the goal is to steal money. Kho says that BEC attackers almost always try to get to your funds via eletronic funds transfer or gift cards. “While the scam may become more sophisticated in design over time this is the overall goal. So if you are not sure about an email requesting payment, be sure to ask someone,” he says.
HOW TO PROTECT YOUR BUSINESS
The ACCC shared its top tips for protecting yourself from this sort of scam:
- TIP 1: If you receive a request that creates a sense of urgency, don’t rush. Take the time to consider and check whether an email is real, including by looking carefully at the sender’s email address, before acting on instructions.
- TIP 2: Don’t deviate from your organisation’s payment procedure, even if the request you have received appears to come from your CEO or a senior manager.
- TIP 3: Whenever you receive a request to change payment details, always check with the organisation via the contact details you have previously stored, rather than those supplied in the email.
- TIP 4: If you have been the victim of a scam, contact your bank as soon as possible. Businesses can also report the scam to ReportCyber so their report is passed to law enforcement agencies for assessment and intelligence purposes.
Kho says “BEC attacks really are old-fashioned fraud attacks that happen to utilise current technology: We saw this type of scam long before there was email or voicemail. Because these aren’t technology-based attacks, it means technology-based solutions won’t be as effective against these attacks as they are against, say, ransomware. A well-made BEC email, for example, is hard for security software to distinguish from a legitimate one, especially if it’s coming from the actual — but compromised — account of someone you trust.” He says you need to make sure that both you and your employees are educated on the topic.
“Educate yourself and your employees about BEC attacks and encourage employees to ask about an email they find suspicious or weren’t expecting as it goes a long way toward preventing these attacks. Reinforce the importance of verifying payment requests and of following the established rules for paying bills, changing direct deposit information, and buying and sending gift cards.” And, last, he says that even if it doesn’t feel natural to push back against the request — if, for example, it comes from a high-level person in your company — the employee still needs to verify it’s legitimate, as uncomfortable as it might be.
Baxby says small businesses need to have a strict system in place for paying invoices. “Small business operators should have a clear policy in place when it comes to paying invoices, and importantly, you should try to limit the number of people who are authorised to make orders or pay invoices. It’s also worth keeping a record of your regular suppliers, including your current domain name registration provider. Always double check invoices before paying and always read the fine print, including the email that the invoice is coming from. If your supplier has changed payment details, directly contact them to confirm this before paying.”
Businesses that have been scammed should contact their bank as soon as possible. If the scam occurred on a platform such as Facebook, contact them directly to report it. Businesses can also report a scam to ReportCyber, which is run by the Australian Cyber Security Centre and passes reports to law enforcement agencies for assessment and intelligence purposes.
The ACCC encourages businesses to make a report on the Scamwatch website.
The Small Business Information Network also provides details about new or updated resources, enforcement action, changes to Australia’s competition and consumer laws, events, surveys and scams relevant to the small business sector.
The ACCC’s annual Targeting Scams Report includes data from Scamwatch, Report Cyber, other government agencies, banks and payment providers.
Breakdown of 2020 scam reports by business size (Scamwatch data only)
|Business size||Number of reports||Reports with loss||Reported losses|
|Micro (0-4 staff)||1,304||173||$2,057,087|
|Small (5-19 staff)||1,056||153||$4,950,593|
|Medium (20-199 staff)||651||90||$1,578,852|
|Large (over 200 staff)||321||29||$9,031,213|
|Size of business not provided||852||49||$783,418|
Read the current issue of our digital magazine here:
For more news and updates, subscribe to our weekly newsletter.
Have an idea for a story or want to see a topic covered on our site and in our pages? Get in touch at email@example.com.