Business email compromise is one of the leading causes of fraud-related financial loss in Australia. Business owners can’t afford to be complacent.
Scamwatch has reported that more than $25million was lost to false billing or invoice scams in 2022.1 So how can you protect your business? We’ve listed some common red flags to look out for.
- Changes to bank account details for regular clients or suppliers.
- Payment urgency.
- Request out of usual business hours.
- Unusual terms, like ‘wire transfer’.
- Vague payment purpose.
- Unusually large sums of money.
It’s important to set up processes to handle these types of requests. Here are some tips to help get you started.
- Ensure everyone in the business is aware of the fraud red flags outlined above and what your escalation points are.
- Segregate duties so that different people are responsible for requesting and authorising payments.
- Obtain verbal confirmation if:
- payment instructions are received via email
- there is a request to change payment details, or
- if payment is requested outside of usual business.
The telephone is one of the best anti-fraud tools we have. If in doubt, give your supplier or client a call to double check the request has come from them.
Beyond fake invoice scams, businesses of all sizes can be vulnerable to malware and ransomware. Malware is malicious software that can be downloaded inadvertently if an email attachment is opened or a link is clicked. This is one way that malware can compromise a device. Some malware (worms) can spread through a network, while some can pose as legitimate software.
Scammers then have access to your computer and could freeze your systems while files are encrypted. A payment demand may follow, which is called ransomware. Other demands such as banking malware may interfere with payments.
Look out for these warning signs before you click on a link.
- Does the sender have a webmail email address (such as Hotmail) rather than a business one?
- Is it addressed to ‘Dear Customer’ rather than your name?
- Does the email ask for more information than the sender would need (such as a driver’s licence number)?
- Does it include a very strong request for action involving clicking a link?
Your bank will never ask you for confidential information, such as your PIN or date of birth, via email. Even if a link looks like a website you trust, it’s safer to type in the URL yourself.
If you think you’ve been the victim of fraud, contact your bank straight away.