The Australian Competition & Consumer Commission (ACCC) yesterday issued a warning to Australian SME’s. They are advising businesses to urgently review how they verify and pay accounts and invoices as there has been a steep rise in business emails being compromised this year. According to Scamwatch business email compromise scams have grown by one third this year. An alarming rate.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC Deputy Chair Delia Rickard said.
Image of Delia Rickard via The Industry Spread
How does the scam work?
BEC scams occur when a hacker gains access to a business’s email accounts, or ‘spoof’ a business’s email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of a business’s official email accounts. Payments then start to flow into the hacker’s account.
In other variations of the scam, the hacker will send an email internally to a business’s accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.
Scamwatch has even received reports of the hackers intercepting house deposits that have been sent to conveyancers, real estate agents or law firms.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business, however the largest amount of reports and losses came from medium sized businesses, including one that lost more than $300,000,” Ms Rickard added.
Businesses have reported losses to these scams totalling $2.8 million to Scamwatch in 2018. However, this represents only a fraction of total losses to this variety of scam across Australia. BEC scams cause businesses significant financial harm, accounting for 63 per cent of all business losses reported to Scamwatch. The average loss is nearly $30,000.
How to ensure you don’t get caught out.
- Communicating directly with the supplier to check any change in account details.
- Confirming supplier contact details and which communication channels they use.
- Implement a multi-person approval process for larger transactions over a nominated threshold.
- Investing in IT security to ensure anti-virus and anti-spy software are updated regularly.
- Ensuring your business has a good firewall.
What to do if you’ve been hacked.
- Contact your financial institution immediately.
- Consider professional IT advice to ensure your email system and data is secure from hackers.
- Report it to www.scamwatch.gov.au