Australian businesses reported over $14 million in losses to Scamwatch due to payment redirection scams last year, and average losses so far in 2021 are more than five times higher compared to average losses in the same period last year.
Total losses are much higher as these scams are reported to a range of different organisations.
In a payment redirection scam, also known as business email compromise scams, scammers impersonate a business or its employees via email and request that money, which usually is owed to the legitimate business, is sent to a fraudulent account.
“Payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities,” ACCC Deputy Chair Delia Rickard said.
“Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors.”
“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams,” Ms Rickard said.
Payment redirection scams can take several different forms. In some instances, scammers hack into a legitimate email account and pose as the business, by intercepting legitimate invoices and amending the bank details before releasing emails to the intended recipients.
In one instance, a victim lost $16,500 in a single transaction after a scammer used a staff member’s email address to send an invoice to a customer with ‘updated bank details’, redirecting the payment to the scammer’s personal bank account.
Other times, payment redirection is done by spoofing, when scammers impersonate CEOs or other senior managers using a registered email address that is very similar to that of the genuine email address. The scammer will then request that staff transfer funds to them or make a payment to a third party on behalf of the business.
Scamwatch has also received reports of scammers posing as staff members, where they request the employee’s salary be paid into the scammer’s bank account.
“An increasing number of reports are coming from sports and community clubs which reported more than $55,000 in losses to payment redirection scams last year. It is likely we will see similar figures this year, with $18,000 already reported lost so far in 2021,” Ms Rickard said.
Scammers posed as the president or treasurer and requested staff to action payments for ‘equipment’ or other business needs, but the money went straight into the scammer’s bank account.
Other businesses or individuals have also inadvertently paid a scammer as a result of a payment redirection scam.
“It can be difficult to recover money lost to a payment redirection scam, so prevention is really important,” Ms Rickard said.
“Don’t deviate from your organisation’s payment procedure, even if the request you have received appears to come from your CEO or a senior manager.”
“If you have received a request that creates a sense of urgency, don’t rush. Take the time to consider and check whether an email is real, including by looking carefully at the sender’s email address, before acting on instructions,” Ms Rickard said.
“Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those in the requesting communication.”
If you have been the victim of a scam, contact your bank as soon as possible and contact the platform on which you were scammed to inform them of the circumstances.
To report a cyber crime visit the business reporting page at cyber.gov.au.