Skip to main content Skip to main navigation
Skip to access and inclusion page Skip to search input

SCAM SPOT: Has your biller been hacked?

03:00pm May 30 2023

In the 8th episode of Westpac Wire's Scam Spot series, head of fraud and financial crime insights Ben Young shares tips on how to avoid falling for business email compromise scams. (Thomas Evans)

In the lead up to paying a deposit on a new house, you receive an email from a familiar address, your solicitor, with the payment invoice. Even though you triple-check that the amount, BSB and account number are correct, you end up paying the wrong person. 

You may have been sent altered details to begin with – and that large sum has now gone to a scammer.

Business email compromise scams or payment redirection scams happen when a recipient receives a legitimate looking email requesting a payment to new or updated account details. 

In 2022, these scams saw Australians lose a total of $224 million. 

A scammer gets into the system of a supplier or conveyancer, intercepts the email requesting the payment of an invoice, and makes changes. The letterhead is correct, the business name and email address remain the same, but it is a new BSB and ABN – a trap has been set for the victim to pay them directly into the rogue account.  

This scam is perpetrated against all businesses but is particularly effective in those that receive large one-off payments from individuals, such as paying a conveyancer a house deposit, or paying a builder for a renovation. 

This is perhaps the hardest scam to spot, since it’s usually an expected bill, and victims can lose millions in a single transaction.

Here are a few tips to avoid falling for the trap:

Verify any banking information verbally when receiving requests for new, urgent, or redirected payments and ensure you verify through a phone number you have sourced yourself. Do not call a number provided to you within the email or invoice.

Request to pay suppliers using a PayID. PayID displays the registered payee name, so if it's not your intended recipient you will know.

Use multifactor authentication and dual payment approvals where available. If you are a small business, ensure email servers are secured with two-factor authentication to avoid people hacking into your email and sending out fake invoices. It’s also crucial to ensure that staff are well trained and know not to click on any strange emails. 

It’s important to remember that all electronic communication platforms can be hacked. Being aware that scams can come from seemingly trusted sources can save you a whole world of trouble.

For information on the latest scams, go to Westpac's Latest Scams & Alerts info.

Ben Young is Westpac’s Head of Fraud and Financial Crime Insights. Ben’s team researches and operates Westpac’s key fraud protection processes for the ~25 million transactions processed each day by the bank, particularly around credit cards, internet banking, branch and applications for credit. Ben has been intimately involved in Westpac’s fraud processes since 2007 and has worked in various data led risk processes since 1997.

Browse topics