Hackers targeting businesses emails in sophisticated scam

Scamwatch is calling on businesses to urgently review how they verify and pay accounts and invoices as reports of business email scams continue to grow.

scam-alert
ACCC Deputy Chair Delia Rickard says there’s a very sophisticated scam in play.

She says scams occur when a hacker gains access to a business’s email accounts, or ‘spoof’ a business’s email so their emails appear to come from the company.

“The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account.”

“These emails look legitimate as they come from one of a business’s official email accounts. Payments then start to flow into the hacker’s account.”

In other variations of the scam, the hacker will send an email internally to a business’s accounts team, pretending to be the CEO, asking for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account.

“Scamwatch has even received reports of the hackers intercepting house deposits that have been sent to conveyancers, real estate agents or law firms.”

“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business; however, the largest amount of reports and losses came from medium sized businesses, including one that lost more than $300,000.”

Businesses have reported losses to these scams totalling $2.8 million to Scamwatch in 2018. The average loss is nearly $30,000.

Ms Rickard says effective management procedures go a long way towards preventing scams and calls on all businesses to be aware these scams exist and to alert staff to the potential for scams as well.”

“They should consider a multi-person approval process for transactions over a certain dollar threshold and keep their IT security up-to-date with anti-virus and anti-spyware software and a good firewall.”

“Businesses should also check directly with their supplier if they notice a change in account details. It’s vital a business don’t do this just by return email or using other contact details provided. Find older communications to ensure you have the right contact details or otherwise independently source them, so they can be sure they’re not contacting the scammer.”