Businesses are being warned by the government website SCAMwatch, which is run by the Australian Competition and Consumer Commission (ACCC), that an invoice email scam is doing the rounds.
The scam, operating in countries in the northern hemisphere until recently, has now appeared south of the equator. SCAMwatch says the ploy involves scammers pretending to be legitimate suppliers advising businesses of changes to payment arrangements, and says that the scam may not be detected until the business starts to get complaints from suppliers that invoices have not been paid.
Businesses trading overseas, particularly dealing with companies in Asia, are at higher risk of being ripped off by these scams.
How these scams work
Scammers hack into vendor and/or supplier email accounts and obtain information such as customer lists, bank details and previous invoices. Your business receives an email, supposedly from a vendor, requesting a wire transfer to a new or different bank account.
The scammers either disguise their email address or create a new address that looks nearly identical. The emails may be spoofed by adding, removing, or subtly changing characters in the email address which makes it difficult to identify the scammer’s email from a legitimate address.
The email may look to be from a genuine supplier and often copy a business’s logo and message format. It may also contain links to websites that are convincing fakes of the real company’s homepage or links to the real homepage itself.
The scam email requests a change to usual billing arrangements and asks you to transfer money to a different account, usually by wire transfer.
SCAMwatch says there are steps to take to protect your business and make it “fraud-free”, and says an effective management procedures can go a long way towards preventing scams. Steps can include making sure your business:
- has a clearly defined process for verifying and paying accounts and invoices
- considers a multi-person approval process for transactions over a certain dollar threshold
- ensures staff are aware of this scam and understand how it works so they can identify it, avoid it and report it
- double checks email addresses — scammers can create a new account that is very close to the real one; if you look closely you can usually spot the fake
- does not seek verification via email — you may be simply responding to the scammer’s email or scammers may have the capacity to intercept the email. If you think a request is suspicious, telephone the business to seek verification of the email’s authenticity
- does not call any telephone number listed in the email; instead, use contact details that you already have on file for the business, or that you have sourced independently
- does not pay, give out or clarify any information about your business until you have looked into the matter further
- checks IT systems for viruses or malware — always keep your computer security up-to-date with anti-virus and anti-spyware software and a good firewall.
Report any scams
If you’ve been scammed there are steps you can take to minimise the damage and prevent further loss. Follow this checklist from SCAMwatch to protect yourself. You can report scams to the ACCC via the SCAMwatch report a scam page or by calling 1300 795 995.
You should also spread the word to your colleagues.
Source: Taxpayers Australia Limited