“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” said ACCC deputy chair Delia Rickard.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business; however, the largest amount of reports and losses came from medium-sized businesses, including one that lost more than $300,000.”
Earlier this year, a Perth car dealership lost $65,000 to such a scam.
Business email compromise (BEC) scams work where a business has its email account either hacked or “spoofed”, with bogus emails then sent to its customer database.
The bogus emails claim that the business has changed its banking details, and that future invoices should be paid into a new account, the details of which are provided.
The scammers then await payments to start rolling in from those unsuspecting customers, with the business being misrepresented left with a shortfall of incoming payments.
According to the ACCC, another version of the same scam has been sent internally within a business to its accounts division, purporting to be from the CEO or leader of the business, with a request to make an urgent transfer to an offshore account or make salary/rental payments into a new account.
The competition regulator’s Scamwatch division has even received reports of house deposits being intercepted from conveyancers, law firms and real estate agents during property settlements.
Some $2.8 million has already been lost by businesses in 2018 to such scams, but the ACCC said that these are only the ones that have been reported. With less than two-thirds (63 per cent) of instances being reported, the true losses incurred by businesses will be considerably higher.
‘Be alert to who gets your money’
Despite the warning, it is not all doom and gloom for businesses, with Ms Rickard stating that strong management of payments works well at thwarting scammers.
“Effective management procedures can go a long way towards preventing scams, so all businesses should firstly be aware these scams exist and that their staff know about them, too,” the deputy chair said.
“Consider a multi-person approval process for transactions over a certain dollar threshold and keep… IT security up to date with anti-virus and anti-spyware software and a good firewall.”
Ms Rickard added: “Businesses should also check directly with their supplier if they notice a change in account details. It’s vital [businesses] don’t do this just by return email or using other contact details provided.
“Find older communications to ensure you have the right contact details, or otherwise independently source them, so they can be sure they’re not contacting the scammer.”
Anyone who believes their business has fallen victim to a scam should immediately contact their bank in a bid to stop a transaction, as well as consider getting advice from qualified IT professionals to bridge any security gaps.