Australian businesses reported over $14 million in losses due to payment redirection scams last year, and average losses so far in 2021 are five times higher than the same period last year.
In a payment redirection scam, also known as business email compromise scams, scammers impersonate a business or its employees via email and request that money, which usually is owed to the legitimate business, is sent to a fraudulent account.
 |
|
Delia Rickard
|
“Payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities,” said ACCC Deputy chair Delia Rickard. “Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors.”
“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams,” Rickard said.
Payment redirection scams can take several different forms. In some instances, scammers hack into a legitimate email account and pose as the business, by intercepting legitimate invoices and amending the bank details before releasing emails to the intended recipients.
In one instance, a victim lost $16,500 in a single transaction after a scammer used a staff member’s email address to send an invoice to a customer with ‘updated bank details’, redirecting the payment to the scammer’s personal bank account.
Other times, payment redirection is done by spoofing, when scammers impersonate CEOs or other senior managers using a registered email address that is very similar to that of the genuine email address. The scammer will then request that staff transfer funds to them or make a payment to a third party on behalf of the business.
Scamwatch has also received reports of scammers posing as staff members, where they request the employee’s salary be paid into the scammer’s bank account.
“It can be difficult to recover money lost to a payment redirection scam, so prevention is really important,” Rickard said. “Don’t deviate from your organisation’s payment procedure, even if the request you have received appears to come from your CEO or a senior manager.”
“If you have received a request that creates a sense of urgency, don’t rush. Take the time to consider and check whether an email is real, including by looking carefully at the sender’s email address, before acting on instructions. Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those in the requesting communication.”
If you have been the victim of a scam, contact your bank as soon as possible and contact the platform on which you were scammed to inform them of the circumstances.
To report a cyber crime visit the business reporting page at cyber.gov.au
