Spotting Business Email Compromise

You might have already heard of Business Email Compromise (BEC) scams. They do more harm than just filling up your spam folder, their goal is to trick you into sending a payment to a fraudulent account or access sensitive data in order to impersonate you or one of your employees. The Australian Signals Directorate (ASD) stated that in 2022–23, the total self-reported BEC losses to ReportCyber was almost $80 million.1 Even if you are confident in your ability to notice a suspicious email, scammers are very good at getting past a business’s defences. 

Example of a BEC Scam:

Let’s say you are an employee or business owner, and you receive an email from a supplier that you know, requesting a payment of $150k to be made to a new account. In the email, the supplier urgently suggests that the funds be sent immediately, claiming that the payment is at risk of being overdue. 

You should know 

Creating a sense of urgency or adding time pressure to your response is just one of the ways scammers trick you into making a rushed decision. If you feel that a supplier is urging you to act quickly, remember Stop. Check. Reject. Stop what you’re doing, take a breath, and step back to reassess the situation. 

In this scenario, though you may think this email is a little unconventional you know the supplier well and, not wanting to ruin your good relationship with them, you send the payment of $150k to the new account.

Keep in mind

Once you proceed with this payment, it can be difficult to recover the transferred funds. Scammers can be incredibly convincing with their tactics; they can even place false contact numbers on the email or invoice to circumvent business controls and validate the change of details verbally. Whenever you have any doubt, hang up the phone and make contact directly with the person involved on a number that you have verified – ideally one that’s already saved in your phone.

Sometime after the payment has been sent, the supplier contacts your business to discuss an overdue invoice of $150k. You inform the supplier that you have already paid the invoice, referring to the most recent payment to their new account. The supplier is unaware of the request of payment to a new account and you both now realise you have fallen victim to a fraudulent email. Had you been able to identify that the account did not belong to the supplier, you might have stopped yourself from sending the payment before it was too late.

Stay protected

CommBank’s NameCheck security tool can indicate whether the account details look right, based on our available payment data. It searches the account details you’ve entered for typos and possible signs of a scam when making a first-time payment in NetBank, CommBiz or the CommBank app.

If something like this happens to you, immediately message us in the CommBank app or call us on 13 2221, or CommBiz customers call us on 13 2339.

Did you know?

On average, the financial loss from a BEC incident over 2022-2023 was over $39,000, according to Cyber Threat Trends from the Australian Signals Directorate2

What you can do

When it comes to cybersecurity, remember that you are the first and last line of defence against frauds and scams. By using the tools available to you, updating your safety procedures and training your staff regularly, you can prevent scammers from compromising your data security and taking off with the fruits of your labour.

Here are a few safety procedures the ASD suggest to keep your business safe:3

  • Turn on multi-factor authentication for online services. 
  • Use long and unique passphrases for every account. 
  • Turn on automatic updates for all software, and do not ignore installation prompts. 
  • Regularly back up important files and device configurations settings. 
  • Be alert for phishing messages and scams. 
  • Only use reputable cloud service providers and managed service providers that implement appropriate cyber security measures.

Preventing scams like BEC are among CommBank’s highest priorities. We are constantly improving our ability to detect and prevent these activities to reduce the impact they have on Australian businesses. 

If you think you may be the victim of a business email payment scam, it’s important to get help as soon as possible:

  1. Call CommBiz 13 2339; or Netbank 13 2221 immediately
  2. Contact your relationship manager, if applicable, and
  3. Contact law enforcement.
To learn more about how you can protect your business from scams and fraud, visit commbank.com.au/business-security