Online scams have been around for a long time. Spotting a suspicious looking email dotted with spelling mistakes and bad grammar is easy BUT, we don’t usually expect the scam to involve people or businesses that we deal with on a regular basis or would otherwise believe to be trustworthy.
The Australian Furniture Association has received detail of a marked increase in ‘man in the middle attacks’.
These are scams involving fraudulent online payments where an email account is hacked. The hacker intercepts a conversation between a payer and payee and re-directs the payment to a different account, or the hacker instigates contact with the payee and provides new account details, either within the body of an email or by changing the payment details in an otherwise legitimate invoice. The legal, building and real estate industries have been significantly affected, along with not-for-profit organisations, small businesses and government agents..
Losses can be significant, particularly in the case of deposits or final payments after inadvertently sending the funds to a scammer’s bank account.
A small local furniture manufacturer recently lost $6000 after payment of an invoice was directed to a bank account that had been changed. In another two cases, over $100,000 were paid to offshore accounts in Hong Kong and Singapore which required both Australian Federal Police and International Law enforcement intervention to recover the funds. Both scams only came to light when the suppliers queried the non-payment of the invoices. Cybercrime | Australian Federal Police
You can also report a crime at Report | Cyber.gov.au or using the forms on this portal Supporting Australian organisations through a cyber security incident | Cyber.gov.au
How can you protect yourself?
Be alert to attempts by scammers to intercept payments due and owing to you and ensure that your email accounts and computer systems have adequate security systems in place to reduce the risk of hacking. Ensure that your finance and admin teams are similarly alert and check anything that you are unsure of BEFORE paying. It’s easier to make a call, than deal with the consequences of being hacked.
If your business receives a lot of payments by electronic transfer, consider doing what the AFA has done and include a statement on all email communications with customers stating that the business’s bank account details will not change during the course of the transaction and that the business will not change its bank account details via email. Encourage your customers and suppliers to call you direct if in doubt.
Update your terms and conditions to set out a clear process for changing key information. For example, implement a policy that no changes should be made to banking or personal details without them first being verified directly by phone with a nominated individual from your organisation.
Regularly check sent and deleted email folders, as well as bank account statements, for unusual activity.
If you are transferring funds to a business’s account, closely scrutinise the invoice and query any changes to ensure that the payment is going to the correct account. If you receive a payment request that seems unusual or an email request to change bank account details, get verbal confirmation before making the payment.
It’s important that you do not use the contact details provided in the email notifying the change of bank details as these could divert you to the scammers. Use contact information on previous correspondence or look up the business online.
You may not be covered by your current Insurance Policy. Cyber risk insurance policies are available for businesses to cover cyber extortion, media content, and network interruption. Get a quote for Cyber Liability Insurance through AFA Partners BIZCOVER HERE
What can you do if you’ve been scammed?
It could be days or weeks before you are made aware that money has gone to the incorrect account.
Contact your bank immediately. There’s a small chance that they may be able to recover the funds from the recipient bank. You should obtain professional IT advice to secure your email systems and data from hackers. The ACCC Scamwatch website provides detailed information about various types of scams, how to protect yourself, report a scam and get help. It provides a list of authorities that you can contact.
When one party makes a payment to an incorrect bank account because of fraud, the account remains unpaid and debt recovery action against the victim of the fraud can be commenced to enforce payment, meaning the payee may be out of pocket for double the amount. According to Scamwatch, businesses have reported direct losses to these scams in 2024 totalling over $15.8 million, up from $2.8 million in 2018, but this is only a fraction of total losses to this type of scam across Australia.
Be aware of scams. Be cautious when transferring large amounts of money by EFT and always verify account details by telephone if you have been advised by email of any changes. Once a payment is made, and particularly if it is a large sum of money, send an email confirmation to the recipient that day confirming payment.
As always if you need help, please feel free to reach out. We’re here to support you and connect you to the right people.
Contact Marcus at partnerships@theafa.asn.au