The warning came from WA’s Consumer Protection Commissioner, David Hillyard, after scammers cloned emails from a Perth settlement agent.
According to Mr Hillyard, the scammers had “cloned” the settlement agent’s email address and changed only a single character, before sending a payment request to the buyer of an undisclosed business.
The buyer, believing the payment request to be legitimate, paid the payment, worth $48,000.
A second client of the same settlement agent advised that they had sent $22,000 to what is believed to be the same scammer as in the first instance.
Payment interceptions are not new, having previously been successful in duping businesses and their customers out of large sums of money.
Two customers of a WA builder also lost a collective $70,000 at the beginning of 2019 for similarly doctored emails requesting payment of the next instalments on the construction of their new homes.
Indeed, a quarterly report by data security firm Mimecast, released last month, showed the number of such scams, known as business email compromise attacks, had soared by 269 per cent on the previous quarter.
“These payment interception scams are becoming increasingly common, where the fraudsters become the ‘man in the middle’ and redirect payments from a legitimate bank account to their own,” Mr Hillyard warned.
“Money transfers related to property transactions usually involve large amounts, so tapping into the communications between sellers or buyers and real estate or settlement agents is significant target with potentially high windfalls for the scammers.
“If successful, as in this case, the proceeds from this type of cyber crime can be lucrative, so we want to make sure that these incidents are not repeated and don’t give any incentive for fraudsters to continue their criminal activities and profit from them.”
Mr Hillyard urged all buyers and sellers of properties and businesses to “be suspicious” of requests for payment or change of bank account details.
“To help prevent any losses, all it takes is a phone call to confirm requests for money or a change in bank account details are genuine,” he said.
“Don’t use phone numbers given in the email and don’t directly reply to the email. Use the contact details previously provided.”
In this particular instance, the settlement agent had been using a Yahoo email address. Mr Hillyard’s agency urged businesses to avoid using such generic email addresses, alongside establishing “secure practices with regard to communications and financial transactions” in a bid to limit exposure to email impersonation scams.
Other steps businesses can take to safeguard themselves and their customers, according to Consumer Protection, include:
- Using a business-grade hosted email service with advanced filtering of spam and malicious content diagnostics.
- Use the forward button rather than hitting reply when responding to emails, and then manually typing the relevant email address for your address book.
- Establish a “double check” for clients to verify that payment requests are legitimate.
- Call the sender (using previously provided numbers rather than any number listed in the email) to verify any .zip file or attachment are legitimate and did come from them.