Scamwatch has paged businesses to urgently review how they both verify and pay accounts and invoices, as sophisticated hackers targeting business’ emails continue to soar.
Law firms have been listed as being among those businesses being targeted – along with conveyancers and real estate agencies – with the ACCC noting that there has been an increase in hackers intercepting house deposits that have been sent to them.
The tactic is commonly referred to as a business email compromise (BEC) scam, which is when a hacker “gains access to a business’s email accounts, or ‘spoof’ a business’ email so their emails appear to come from the company”, the ACCC said in a statement.
“The hacker then sends emails to customers claiming that the business’s banking details have changed and that future invoices should be paid to a new account. These emails look legitimate as they come from one of a business’s official email accounts. Payments then start to flow into the hacker’s account.”
In other variations of the scam, the hacker will send an email internally to a business’s accounts team, pretending to be the CEO and ask for funds to be urgently transferred to an off-shore account. Hackers can also request salary or rental payments be directed to a new account, the statement explained.
ACCC deputy chair Delia Rickard explained there are some measures businesses can take to help combat the risk of being scammed.
“Effective management procedures can go a long way towards preventing scams, so all businesses should firstly be aware these scams exist and that their staff know about them too,” Ms Rickard said.
“They should consider a multiperson approval process for transactions over a certain dollar threshold and keep their IT security up-to-date with anti-virus and anti-spyware software and a good firewall.
“Businesses should also check directly with their supplier if they notice a change in account details. It’s vital businesses don’t do this just by return email or using other contact details provided. Find older communications to ensure you have the right contact details or otherwise independently source them, so they can be sure they’re not contacting the scammer,” Ms Rickard said.