The Australian Competition and Consumer Commission is calling for an urgent review of the way businesses verify and pay invoices following a 30 percent increase in the number of business email compromise (BEC) scams this year.
The ACCC's Scamwatch has received reports of BEC scams totalling $2.8 million in the 10 months to November, up from $2.1 million the previous year.
An ACCC spokesperson told iTnews a further $600,000 is expected to be lost to BEC scams in November and December.
“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC deputy chair Delia Rickard said in a statement.
BEC scams typically occur when a business’ email addresses are spoofed or when the accounts are hacked by scammers - making any correspondence appear legitimate.
The hacker then sends emails to customers claiming the business’ banking details have changed and that future invoices should be paid to a new account.
In other variations of the scam, the ACCC says the hacker will send an internal email to a business’ accounts team, pretending to be the CEO, requesting that funds be transferred to an off-shore account or that salary and rental payments be redirected.
BEC scams can cause significant financial harm, accounting for almost two-thirds of all business losses reported to Scamwatch.
The average loss per victim sits near $30,000, however, as more scams target conveyancers, real estate agents or law firms as was the case with a PEXA property settlement earlier this year, the scope for losses can extend to hundreds of thousands of dollars.
“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business, however the largest amount of reports and losses came from medium-sized businesses, including one that lost more than $300,000,” Rickard added.
“Effective management procedures can go a long way towards preventing scams, so all businesses should firstly be aware these scams exist and that their staff know about them too.
“They should consider a multi-person approval process for transactions over a certain dollar threshold and keep their IT security up-to-date with anti-virus and anti-spyware software and a good firewall.”
Rickard recommended that businesses should also check directly with their supplier if they notice a change in account details by using other contact details than the ones provided in the potentially-fake email.
“Find older communications to ensure you have the right contact details or otherwise independently source them, so they can be sure they’re not contacting the scammer,” Rickard said.
The ACCC also recommended businesses should contact their financial institution and do an audit of their email and data systems to make sure they are secure.