Receive the latest mybusiness news
Copyright © 2020 MOMENTUMMEDIA

Payment redirection scams cost businesses $14m last year: ACCC

Adrian Flores
Adrian Flores
30 March 2021 2 minute readShare
cyber scams

Businesses reported over $14 million in losses due to payment redirection scams last year, according to the competition regulator.

In addition, average losses so far in 2021 are more than five times higher compared with average losses in the same period last year.

In a payment redirection scam, also known as business email compromise scam, scammers impersonate a business or its employees via email and request that money, which usually is owed to the legitimate business, is sent to a fraudulent account.

Payment redirection scams can take several different forms. In some instances, scammers hack into a legitimate email account and pose as the business by intercepting legitimate invoices and amending the bank details before releasing emails to the intended recipients.

ACCC deputy chair Delia Rickard said payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment and universities.

“Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors,” Ms Rickard said.

“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams.”

In one instance, the ACCC noted a victim lost $16,500 in a single transaction after a scammer used a staff member’s email address to send an invoice to a customer with “updated bank details”, redirecting the payment to the scammer’s personal bank account.

Other times, payment redirection is done by spoofing, when scammers impersonate CEOs or other senior managers using a registered email address that is very similar to that of the genuine email address.

The scammer will then request that staff transfer funds to them or make a payment to a third party on behalf of the business.

ACCC’s Scamwatch also received reports of scammers posing as staff members, where they request the employee’s salary be paid into the scammer’s bank account.

Scammers posed as the president or treasurer and requested staff to action payments for “equipment” or other business needs, but the money went straight into the scammer’s bank account.

Other businesses or individuals have also inadvertently paid a scammer as a result of a payment redirection scam.

“An increasing number of reports are coming from sports and community clubs, which reported more than $55,000 in losses to payment redirection scams last year. It is likely we will see similar figures this year, with $18,000 already reported lost so far in 2021,” Ms Rickard said.

“It can be difficult to recover money lost to a payment redirection scam, so prevention is really important.

“Don’t deviate from your organisation’s payment procedure, even if the request you have received appears to come from your CEO or a senior manager.”

Ms Rickard advised if a business has received a request that creates a sense of urgency, don’t rush.

She added that if someone has been the victim of a scam, contact your bank as soon as possible and contact the platform on which you were scammed to inform them of the circumstances.

“Take the time to consider and check whether an email is real, including by looking carefully at the sender’s email address, before acting on instructions,” Ms Rickard said.

“Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those in the requesting communication.”

Businesses can report a cyber crime by visiting the business reporting page at cyber.gov.au.

Payment redirection scams cost businesses $14m last year: ACCC
mybusiness logo
Adrian Flores
Adrian Flores

Adrian Flores is the deputy editor of MyBusiness. Before that, he was the deputy editor for SMSF Adviser as well as features editor for ifa (Independent Financial Adviser), InvestorDaily, Risk Adviser, Fintech Business and Adviser Innovation.

You can email Adrian at [email protected].

Leave a Comment

Latest poll

How satisfied are you with the SME measures in the federal budget?