Toyota is just one of many high-profile examples of business email compromise, or BEC. This payment redirection scam has also defrauded the government of Puerto Rico, charity Save The Children and French film and distribution company, Pathé.2
But this doesn’t mean smaller organisations are off the hook. In 2018, a Perth car dealership was defrauded of $65,000 through a very convincing scam invoice.3
Mick Keogh is Deputy Chair of the Australian Competition and Consumer Commission (ACCC). He confirms that organisations of all sizes are vulnerable.
“Small and micro businesses made most of the reports to Scamwatch and experienced an increase in losses in 2020, although larger businesses reported the highest losses,” he says.4
In the first half of 2022, the ACCC received reports of 11,395 incidents of business email compromise. In total, these cost businesses $12.3 million.5 The organisation has received many reports of scammers targeting Australian farming businesses – many through fake websites.
“[But] the most common contact method scammers used against businesses was email, which is not surprising given the prevalence of payment redirection scams,” says Keogh.4
James Fleming is Senior Manager Fraud Risk & Advisory at CommBank. He agrees that all organisations are vulnerable to business email compromise – and human error is often the weakest link.
“All it takes is for one person's email to be compromised, and your business could end up paying someone a large sum of money,” Fleming says.
Anatomy of a business email scam
So why is business email compromise such a threat? Clever impersonation is the key.
“It’s not always the business itself that is compromised,” says Fleming. “It can actually be Business B – Business A’s supplier or contractor.”
This is how it can work:
Hackers break into a contractor or supplier’s email system (Business B) by securing a username and password. The hacker then uses Business B’s email account to send a fake invoice to Business A.
In the email, the scammers claim Business B has recently changed its bank account, and provides ‘new’ banking details. Business A pays the invoice – and their funds go straight into the hacker’s account.
What makes the scam particularly convincing is if the email comes from a regular business contact – or if they impersonate the branding and letterheads from Business B to create the invoice.
Other tactics scammers use include persuading an employee, via an authoritative sounding email, to take a specific action – such as making a wire transfer or providing confidential information.
The result can be financially devastating, says Fleming.6
“If you're a reasonably large organisation you might be able to take that hit,” he says. “But if you’re a smaller or even medium-sized organisation, especially if cash flow is tight, that could really impact you.”
Financial institutions will attempt to recover stolen funds on a best endeavours basis. However, the funds can be difficult to recover because real-time payments move so quickly.
“The funds may have been moved to other banks or moved offshore,” says Fleming. “They might have been withdrawn in cash or spent on cards. So it can be quite hard to get that money back.”
The best defence against email compromise
The latest figures show that while volumes are falling, scammers are pocketing larger monetary values. As such, businesses need to remain vigilant. The ACCC recommends organisations call their supplier or contractor on a secondary and known phone number – that is, not the number on the invoice – to confirm requests to change bank account details. They also suggest setting up a multi-person approval process before making large payments and setting up multifactor authentication (MFA), not just on your banking platform but on your email, too, to help prevent email compromise from the start.6
Large organisations with their own fraud and risk teams tend to have the most robust controls. These include integrated payments systems, call backs and other inbuilt checks that prevent payments from proceeding without certainty.
“A smaller mum and dad company might just log into their online banking and make a payment,” says Fleming. “So theoretically, the larger organisation is, the more the risk should reduce. But that being said, we're all prone to human error. And it only takes one person to forget to follow the process – or just be negligent.”
In other words, the best defence against BECs is ensuring your team sticks to strong online banking, payment platform and multi-factor authentication (MFA) hygiene. Also, ensure that your IT security is up-to-date, run antivirus software and have a good firewall.
But you also need to maintain staff awareness.
“You can have all the technology in the world, but it won’t work unless your people understand the controls and follow the processes as they're meant to be followed,” says Fleming.
What to do if you you’ve been scammed
- Contact your bank immediately and stop the payment.
- Report the incident to the Australian Cyber Security Centre.
- Inform your supplier or provider (if they don’t know already) and advise them to change their account passwords.7
Our expert
James Fleming is the Senior Manager – Fraud & Risk Advisory at the Commonwealth Bank. During his five years with the bank, James has specialised in fraud, risk, operational risk and delivery during his time as the Digital Fraud Product Owner. Before joining CommBank, James spent five years at Macquarie Group where he worked as a credit assurance and fraud analyst before being promoted to Team Leader – Credit Assurance/Fraud. James has a Bachelor of Business Administration and Commerce – Accounting from Macquarie University.
Want to know more?
CommBank is committed to protecting its business and customers from scams, fraud and other cyber attacks. For more ways to safeguard your information, search CommBank Safe.