Types of financial fraud affecting SMEs: phishing

In 2012, Australian businesses and consumers lost a staggering $469 million to fraud. What types of financial fraud should SMEs look out for, and how do they know if someone is trying to scam them? Take a look at phishing scams and see how to protect your business.

Phishing is the attempt to maliciously trick anyone into giving up sensitive information, such as phone numbers, addresses or credit card information, via email, social media, phone call or text.

“The scammer asks you to provide or confirm your personal details. For example, the scammer may say that the bank or organisation is verifying customer records due to a technical error that wiped out customer data. Or they may ask you to fill out a customer survey and offer a prize for participating,” says the ACCC’s ScamWatch website.

“Alternatively, the scammer may aleA literal phishing attempt, with a username and password box attached to a hookrt you to 'unauthorised or suspicious activity on your account'.

“You might be told that a large purchase has been made in a foreign country and asked if you authorised the payment. If you reply that you didn't, the scammer will ask you to confirm your credit card or bank details so the 'bank' can investigate.

“In some cases the scammer may already have your credit card number and ask you to confirm your identity by quoting the [three or four] digit security code printed on the card.”

Phishing attempts are designed to look or sound authentic, which can involve official-looking emails, or being directed to a website that looks identical to the actual website.

How to identify phishing scams

Signs of a phishing scam include:

  • Receiving some form of communication to update or verify your personal details;
  • The website you have been asked to go to appears visually slightly different, and the URL address is slightly altered; for example, the authentic website is www.legitimatebank.com.au, while the fake website may be www.legitimatebank.com, or www.legitimate-bank.com.au;
  • The form of communication received is generic and does not address you by your name, and/or includes grammatical errors or typos.

“If you provide the scammer with your details online or over the phone, they will use them to carry out fraudulent activities, such as using your credit cards and stealing your money,” the ScamWatch website says.

Whaling and spear phishing

A variation of phishing is whaling and spear phishing, which in essence is identical to regular phishing, except the target in this case is business owners or employees in charge of finances.

A person in a hoodie holds a tablet, their face obscured by shadows“The scammer sends a personalised email to either a group of employees or a specific executive officer or senior manager. The email is designed to look like it has been sent from a trustworthy source such as the employer or other staff members within the organisation,” the ACCC ScamWatch website says.

The subject of the email is framed around fake critical business matters, such as legal issues or complaints from consumers.

The scammer’s aim is to either direct you to a website or to ask you to download a file.

If the email tries to redirect the user to a website, the website will either ask for company information and passwords or financial information to make a payment for a fraudulent software download.

The other possibility, downloading an attachment, may be framed as an image or as documents in a .ZIP file, which is typically used to package larger files. Unzipping the file and opening any of the files within may download malware to view what you type, such as passwords or financial information.

Characteristics of a whaling and spear phishing scam include:

  • Receiving an email about legal issues or consumer complaints with either a file attachment or a link to a website;
  • If a link is sent, the website may request business credentials or payment information;
  • If a file is sent, it may be contained in a .ZIP file. The email may refer to an attached image or documents – usually, these files are relatively small in size, and do not warrant being contained in a .ZIP file;
  • The email address may appear similar to a colleague’s email address, but have a slight variation; if the authentic email is This email address is being protected from spambots. You need JavaScript enabled to view it., a fake email may be This email address is being protected from spambots. You need JavaScript enabled to view it., or This email address is being protected from spambots. You need JavaScript enabled to view it..
promoted stories