According to the Western Australian government, small businesses are increasingly being caught up in fraud whereby scammers impersonate third-party suppliers, in a trend known as 'man in the middle scams'.
What is a man in the middle scam?
The scam works with the scammer first researching the target businesses, which may involve phoning the business to find out who is responsible for finance, and sending emails with spyware attached to observe that business’ network.
“They may involve multiple convincing phone calls based on prior research about active work,” said Detective Senior Sergeant Steve Potter of the WA Police Major Fraud Squad.
“The attackers appear to have reasonably detailed knowledge of both current work or projects and associated suppliers.
“The MO used by offenders is otherwise known as a ‘man in the middle’ attack.”
The scammers then set the plans in motion, masquerading as a supplier of the business, mentioning goods or services that may legitimately need to be paid for.
Instead of requesting payment through the regular account, however, a request will be made to make payment into an alternate account, which actually belongs to the scammers.
“The attackers have taken steps to have destination bank details altered by the victim business and thereby cause funds to be directed to accounts accessible by the offenders or their associates,” Mr Potter said.
How can I avoid a man in the middle scam?
WA ScamNet has provided the following tips for business owners and financial directors to avoid man in the middle scams:
- If you receive a phone call, email or letter from a supplier seeking a change to the bank account details you use to pay them, be suspicious.
- Use the correct, verified number from the supplier’s website, or the one you have on file, to call a known contact directly to confirm that the request is legitimate.
- If emailing, type the known email address (double check it!) in the ‘to’ section, rather than replying to an email received.
- A BSB search can easily be done online, which will reveal details about a bank account you have been asked to send to.
- Remember that words you enter when making a bank transfer have no bearing on the transaction. For example, you can be asked to write 'Legitimate Pty Ltd' for the name of the account holder, but the bank account can belong to scammers posing as the company.