The Australian Competition and Consumer Commission (ACCC) is reporting that Australian businesses have lost more than $14 million as a result of payment redirection scams, with the average losses in 2021 more than five times higher than average losses in the same period last year.
The scams, also known as business email compromise scams, impersonate businesses or employees via email and request payments to a fraudulent account.
ACCC Deputy Chair Delia Rickard said that there were increasing reports from businesses, sports and community clubs of significant losses.
“An increasing number of reports are coming from sports and community clubs which reported more than $55,000 in losses to payment redirection scams last year. It is likely we will see similar figures this year, with $18,000 already reported lost so far in 2021,” said Rickard.
One victim, the ACCC said, lost an estimated $16,500 in a single transaction after a scammer sent updated bank details to a customer after hacking a staff member’s email and redirecting the payment to the scammer’s personal bank account.
The ACCC recommends that all companies now take the time to consider whether an email is real by looking carefully at the email address before acting on any financial instructions.
“Payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities,” Rickard said. “It can be difficult to recover money lost to a payment redirection scam, so prevention is really important.”
“Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors,” Rickard said.
“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams,” she said.
Currently, the ACCC has noted that they have received reports of cybercriminals utilising a variety of methods in these schemes, including posing as staff members, where they request the employee’s salary be paid into the scammer’s bank account to hacking into legitimate email accounts and intercepting real invoices to amend bank details before releasing emails to the intended recipients.
“Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those in the requesting communication,” Rickard said.