A “very sophisticated” scam, going after real estate agents in some instances, targets SME businesses’ verification and account payment processes, diverting legitimate payment flows into the accounts of unscrupulous hackers.
Scamwatch has identified the malpractice as reports of business email compromise (BEC) scams to the organisation have grown by a third this year.
ACCC deputy chair Delia Rickard said that the breach has serious implications.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” the chair said.
She said that in some instances, the hackers have been reported to be intercepting house deposits that have been sent to real estate agents, conveyancers or law firms.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs.
“There is a misconception these scams target just small business; however, the largest amount of reports and losses came from medium-sized businesses, including one that lost more than $300,000.”
Ms Rickard said that reported losses to these scams totaled $2.8 million in 2018.
“BEC scams occur when a hacker gains access to a business’ email accounts, or ‘spoof’ a business’ email so their emails appear to come from the company. The hacker then sends emails to customers claiming that the business’ banking details have changed and that future invoices should be paid to a new account.
“These emails look legitimate as they come from one of a business’ official email accounts. Payments then start to flow into the hacker’s account.
“In other variations of the scam, the hacker will send an email internally to a business’ accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an offshore account. Hackers can also request salary or rental payments be directed to a new account.”
Ms Rickard said that businesses can take steps to protect themselves.
“Effective management procedures can go a long way towards preventing scams, so all businesses should firstly be aware these scams exist and that their staff know about them, too.
“They should consider a multi-person approval process for transactions over a certain dollar threshold and keep their IT security up to date with anti-virus and anti-spyware software and a good firewall.”
She said that businesses should also check directly with their supplier if they notice a change in account details.
“It’s vital businesses don’t do this just by return email or using other contact details provided. Find older communications to ensure you have the right contact details, or otherwise independently source them, so they can be sure they’re not contacting the scammer,” Ms Rickard said.
You are not authorised to post comments.
Comments will undergo moderation before they get published.