Cyber Attack – Protecting yourself from payment redirection fraud

Online scams have been around for a long time. While we may have become better at spotting a suspicious looking email dotted with spelling mistakes and bad grammar, we don’t usually expect the scam to involve people or businesses that we deal with on a regular basis or would otherwise believe to be trustworthy.

Our firm has noticed a marked increase in ‘man in the middle attacks’. These are scams involving fraudulent online payments where an email account is initially hacked. The hacker then intercepts a conversation between a payer and payee and re-directs the payment to a different account, or the hacker instigates contact with the payee and provides new account details, either within the body of an email or by changing the payment details in an otherwise legitimate invoice. The legal, building and real estate industries have been affected, as have not-for-profit organisations, small businesses and government agents..

Losses can be significant, particularly in the case of property transactions with people losing deposits or final payments after inadvertently sending the funds to a scammer’s bank account.

A car dealership recently lost $65,000 after payment of an invoice was directed to a bank account that had been changed. The dealership made a purchase from a supplier and received an invoice with correct bank details. A week later, an email request was sent by scammers asking that the payment be directed to a new bank account. The dealership asked by return email that the request be made on company letterhead, which was provided. In line with the dealership’s procedures, an attempt was made to get a verbal confirmation of the change, but there was no answer on the provided contact number. The payment was made regardless. The scam only came to light when the supplier later queried the non-payment of the invoice.

How can you protect yourself?

If you’re a business owner, be alert to attempts by scammers to intercept payments due and owing to you and ensure that your email accounts and computer systems have adequate security systems in place to reduce the risk of hacking.

If your business receives a lot of payments by electronic transfer, consider including a statement on all email communications with customers stating that the business’s bank account details will not change during the course of the transaction and that the business will not change its bank account details via email. Update your terms and conditions to set out a clear process for changing key information. For example, you might implement a policy that no changes should be made to banking or personal details without them first being verified directly by phone with a nominated individual from your organisation.

Regularly check sent and deleted email folders, as well as bank account statements, for unusual activity.

If you are transferring funds to a business’s account, closely scrutinise the invoice and query any changes to ensure that the payment is going to the correct account. If you receive a payment request that seems unusual or an email request to change bank account details, get verbal confirmation before making the payment.

It’s important that you do not use the contact details provided in the email notifying the change of bank details as these could divert you to the scammers. Instead, use contact information on previous correspondence or look up the business online.

Cyber risk insurance policies are available for businesses to cover cyber extortion, media content, and network interruption.

What can you do if you’ve been scammed?

Unless the other party is waiting for the money and regularly checking their bank account, you may not find out that the money has gone to the incorrect account until the payee chases you up for non-payment, which could be days or weeks later.

Once you’re aware that a scam has taken place, contact your bank immediately. There’s a small chance that they may be able to recover the funds from the recipient bank, if withdrawals haven’t already been made. You should also consider obtaining professional IT advice to secure your email systems and data from hackers. The ACCC Scamwatch website provides detailed information about various types of scams, how to protect yourself, reporting a scam and getting help. It provides a list of authorities that you can contact, depending on the type of scam you’re caught up in.

When one party makes a payment to an incorrect bank account because of fraud, the account remains unpaid and debt recovery action against the victim of the fraud can be commenced to enforce payment, meaning the payee may be out of pocket for double the amount. According to Scamwatch, businesses have reported direct losses to these scams in 2018 totalling $2.8 million, but this is only a fraction of total losses to this type of scam across Australia.

Being aware of the scam is the first step in protecting yourself. Be cautious when transferring large amounts of money by EFT and always verify account details by telephone if you have been advised by email of any changes. Once a payment is made, and particularly if it is a large sum of money, send an email confirmation to the recipient that day confirming payment.

Please contact SRM Lawyers if you’ve been affected by a scam or if you’d like more information about how to update your organisation’s policies to better protect yourself in the future.