In one of the latest reports from the Australian Competition and Consumer Commission (ACCC), payment redirection scams defrauded Aussie businesses to the tune of $227 million, making them the most dangerous fraud issue of the moment. This is compared to the still-massive $128 million lost to very similar business email compromise scams, emphasising just how essential cybersecurity services and staff IT security training are to modern businesses.
What is a payment redirection scam?
This is a form of business email compromise scam, and the way it works relies on people assuming their contact is legitimate and not questioning payment requests. Here’s how it works.
- Malicious actor gains access to legitimate business accounts – This is achieved through phishing tools, hacking unsecured email accounts, or manipulating a person into giving them login details.
- Emails are then intercepted on their device – Giving them full access to you as a contact.
- Bank account details are changed – Often contact details are changed too. The hacker often informs clients that the banking details of the company they represent have changed and that they are a new employee. They make also simply pretend to be the person that they have hacked.
- Invoices are intercepted – Legitimate invoices are intercepted, the banking details changed, and then forwarded on to the correct contact. This person usually won’t notice a change on the invoice because it looks correct and from the correct person.
- Payments are made – The receiver pays the invoice into the account held by the malicious actor.
- Payment is hidden – When the money is received, it is moved out of the bank account immediately to hide the money and use it even if the fraudulent account is detected and frozen.
- Scam becomes known – This may only occur weeks later when the sender of the invoice queries that your account has not been paid.
How to protect your organisation
- Always look at the bank account details. If they are different, call the client directly using a number you already have, not the number on the invoice.
- Make sure the invoice is real. Confirm that these are products or services you have received and that the numbers are correct.
- Never share personal account details with anyone, especially your login and password. Change your password frequently using a password manager to ensure the password is very difficult to break. Multifactor authentication should be used at all times, especially when paying invoices and accessing email.
- Train your staff. Cybersecurity awareness training will help your staff be more vigilant in both protecting their email accounts and detecting payment redirection scams. Encourage them to double-check payments before making them and not to fall for pressured emails that demand immediate payment.
At Otto, we help businesses to protect data effectively while allowing you to use it efficiently, shielding client data and sensitive information from hackers and malware while helping you collect operational data to improve processes, customer service, and more. Chat to our Melbourne-based team today for IT security that works with your business.