Welcome to our new website. Please bear with US as we continue to add new content and information
latest News
Scam Awareness - Craig Clarke
10
March 2024
Scam Awareness - Craig Clarke

Scams targeting businesses are on the rise, with reported losses of $23.2 million last year, according to the ACCC. Payment redirection scams, known as Business Email Compromise, pose a significant threat. Scammers compromise emails through credential phishing or stuffing, intercepting invoices and redirecting payments to their accounts. To safeguard against this, businesses should verify new payment details with vendors through trusted channels. Training staff to recognize and report suspicious emails is crucial. Implementing multifactor authentication and keeping antivirus software updated adds an extra layer of security. If a business email is compromised, immediate steps include changing passwords, contacting the financial institution, and reporting the scam to Scamwatch and Report Cyber.

Scams continue to rise year on year and businesses are no exception to being targeted by scammers. Last year the ACCC reported that businesses lost $23.2 million to scams, with small business and micro businesses reported losses of $13.7 million.  However, many businesses often do not report incidents of scams and therefore, these figures are higher. For some businesses, a single scam incident could mean the loss of an entire year’s worth of wages or revenue.  

To safeguard yourself, it’s important to know the various scams typologies that impact your business and the various protection mechanisms you can put in place. A scam that commonly targets businesses is payment redirection scams, which is also known as Business Email Compromise.  

As indicated in the name, scammers can compromise your business or your vendor’s email to intercept and redirect payments or invoices to a new account, or new payment email address.

The initial compromise can be achieved through two main methods:

• Credential phishing is when a member of staff has been tricked into entering their username and password into a fake login page. Those details are then stolen and used to log on to the system instead of the legitimate employee.

• Credential stuffing is when attackers use credentials stolen in previous breaches of other online service providers, relying on the fact that people generally re-use the same password across services.  

Once the scammer has access to the compromised inbox, they will monitor emails looking for those with invoices requesting payment. They will then intercept these, change the account details to ones they control, and send it to the intended recipient. The falsified email / invoice will look the same as the legitimate one however the account details will be different.  

Where new payment details are detected for an existing vendor, it’s important to call the vendor on a trusted number to verify the legitimacy of the details. A quick phone call seems simple and rudimentary, but it can save your business from transferring thousands, or perhaps millions to a scammer.

It’s important to train your staff and employees to spot and escalate suspicious emails, payment requests and phishing texts. Your people are the first line of defence in protecting your business from Business Email Compromise scams.

Finally, it’s important to protect your online services and accounting platforms with multifactor authentication (MFA). This adds an additional layer of security to your systems and is used as another control to ensure only legitimate staff and employees access your sensitive data and services. You can contact your IT provider to discuss ways to implement MFA and ensure you have the latest antivirus software to protect your business from malware and virus’.

So, what happens if you believe your business email has been compromised? It’s important to immediately change your email password. Importantly, if any funds have been lost, immediately contact your financial institution, and report the scam to Scamwatch and Report Cyber.