Business email compromise: our business lost $190 000 when our supplier's email was hacked

Business email compromise victim

Our story

We are the victims of an email hacking scam. The scammers appear to have hacked a supplier’s email and advised us of a change in bank details. The scammers sent us invoices with amended bank details as well as the prior email trail to and from the supplier, so they must have been in their IT system. Everything was a perfect copy of a real version of the invoices we were so used to. We didn’t notice the difference.

Thinking it was real, we sent an amount of $190 000 but the real supplier never received it. The email address was also correct for the supplier, but they told us that they did not receive our responses. The scammers seem to have some way of hiding our responses from the supplier. We didn’t find out about this until our supplier contacted us via phone to talk about not receiving the money.

Signs this was a scam

  • The change in bank details was the only sign that this was a scam.
  • Scammers often pose as one of your regular suppliers and tell you that their banking details have changed. They may tell you they have recently changed banks, and may use stolen letterhead and branding or even hacked emails to convince you they are legitimate.
  • The scam was difficult to spot, as the invoices looked entirely genuine and the scammers had included copies of previous invoices. The business even checked that the email address of the sender matched the supplier’s email address.

Avoid this type of scam

  • Contact the supplier directly using a second, reliable mode of communication such as a known phone number to verify any request to change bank details.
  • Consider a multi-person approval process for transactions over a certain dollar threshold with processes in place to ensure the business billing you is the one you normally deal with.
  • Prevent your IT systems from being compromised. Keep your IT security up-to-date by regularly patching your systems and running antivirus software, and have a good firewall to protect your data.

 

*The story above is based on one or more real scam reports received by the ACCC. For privacy purposes the names and images of victims have not been used.

Have you been scammed?

If you think you've been scammed or know someone who has, report it to the ACCC using our report a scam page.

If you have lost money, contact your bank or financial institution immediately.

More information