Email Payment Scams

When you or your staff are paying an invoice, how do you know you are paying to the right account?  Can you be sure that the sender’s email hasn’t been compromised?

Email Payment Scams, or Business Email Compromise (BEC), is one of the highest reported cyber crimes in Australia and results in the loss of tens of thousands of dollars on average for small business. 

What is Business Email Compromise (BEC)

BEC is the practice of using email to scam people and businesses out of money or information.  This can be either through ‘spoofing’ an email address to look legitimate or actually compromising a business’s email to send fraudulent invoices or requests for information.  These scams are evolving and becoming more and more sophisticated each year.

 Invoice Fraud or Supplier Payment Scams

A supplier’s email account may be compromised and you may receive an email from a supplier stating they have changed banks and to record their new account number.  Or the hacker may change the account number on a legitimate invoice to their own account.  I saw this several times while working in the bank, some were caught successfully but others saw thousands of dollars sent to a scammers bank account with the money unable to be recovered.

Impersonating a supplier, these scams can look very real with legitimate branding.  You may receive a fake invoice that has been attached to an old email chain or start with a request to update contact details and change account details.

Employee Impersonation

Scammers will go so far as to monitor their target’s movements via social media.  When they see someone is away they will send an ‘urgent’ or ‘confidential’ request along the lines of ‘I’m stuck at this conference and can’t get to my computer to approve this invoice but it’s urgent, can you please pay it immediately’.

Prevention

Human error is the biggest risk when it comes to cyber crime, train yourself and your staff to be aware of how to spot a scam is your first line of defence.  Don’t just do one training once, regular awareness is super important to maintain.

Start with the basics, have a strong password, don’t share that password, don’t share pin’s and switch on MFA. Clearly having a spam filter and anti-virus or firewalls for your systems is also really important.

Having clear and concise payment practices and procedures is one of the best defences against BEC.

When paying a supplier for the first time, have a policy to contact the supplier directly via an independently sourced phone number to confirm the account number.

Be really suspicious when you receive a notification of a supplier changing their account number.  If an invoice suddenly has a different account number or you receive an email advising you of a change, again, contact the supplier.  Don’t use the contact details on the email, you may end up talking to the scammer!

Write down your payment procedures and have clear requirements for authorisations and dual approvals to create a safety net.

My recent experience in avoiding a real life email scam!

Recently I received an email seeking a Request for Proposal.  It was from a company that I would usually source equipment from, so this was really unusual.  The email was beautifully branded and well written and as someone with a new business who is always looking for opportunities it really piqued my interest.  I came so close to clicking on the link to investigate.  But! the awareness drilled into me over years and years working in finance kicked in and I got suspicious.  I deleted the email and sent a courtesy note to the supplier letting them know what I had received and either it was sent in error or they had been compromised.  Half an hour later, an email from the company confirming they had been breached was issued.  Thank goodness that training kicked in. 

 The prevention strategies here may seem like simple things, but done right, they can prevent really costly mistakes.