Aussie businesses lose $600k to invoice email scam

22.01.2015
Criminals have managed to siphon a total of $600,000 out of Australian businesses by posing as suppliers and requesting payment be sent to a new bank account via email, says SCAMwatch.

The Australian Competition and Consumer Commission (ACCC)'s scam watch dog has received 20 reports about the scam since October 2014. A third of the companies who contacted SCAMwatch reported losses, said ACCC acting chair Michael Schaper.

"In total, we have received reports of $600,000 being lost. One firm reported a loss of approximately $500,000, while another [company] lost $10,000," he said.

Australian firms who mainly deal with companies overseas have been targeted by the scam, he said. "It appears that parts of Asia or Africa are where the scams are taking place or coming from."

Scammers have hacked into vendor or supplier email accounts and taken information such as customer lists, bank details and previous invoices.

A scammer either disguise his/her email address or creates new address that looks almost identical. The scammer then emails the company and request a wire transfer to a new or different bank account.

According to Schaper, the scam may not be detected until the business receives complaints from suppliers that payments were not received.

"It's like you got hijacked on the electronic highway," he said.

The United States and Canadian Better Business Bureau and the Internet Crime Complaint Centre (IC3) have also issued warnings about the scam.

Schaper said the scam could be avoided through effective management procedures.

"Have a multiple person approval process for invoices. Having a second person cross checking can sometimes pick up those subtle differences -- they could query why the invoice is going to a different account," he said.

Read more:Fake passports are big business in underground markets: report

"Double check email addresses -- scammers can create a new account which is very close to the real one. If you look closely, you can usually spot the fake. Make sure the cyber security processes in your accounting packages are up to date."

If people think the request to change bank accounts is suspicious, he advised phoning the supplier to check that the email is real.

"Do not seek verification via email as you may simply be responding to the scammer's email. Don't pay, give out or clarify any information about your business until you have looked into the matter further," said Schaper.

Follow Hamish Barwick on Twitter: @HamishBarwick

Follow Computerworld Australia on Twitter: @ComputerworldAU, or take part in the Computerworld conversation on LinkedIn: Computerworld Australia

Read more:Top 3 Australian financial scams of 2014

(www.computerworld.com.au)

Hamish Barwick