Business Email Compromise Scam
What is a Business Email Compromise scam?
A business email compromise scam, commonly known as a BEC, is when a business receives a legitimate looking email, from a supplier or someone in their business, requesting an urgent payment, payment of an invoice to a new account or update of account details.
How they contact you
Via a compromised email account, which could belong to a customer, supplier or even your own email account. Or it could appear to come from a similar looking address. A conversation may even be initiated by SMS.
What they're after
Scammers are waiting for the opportunity to initiate or redirect large payments.
Signs this may be a business email compromise scam
You receive an email/invoice from someone associated with your business requesting you update their account number.
Do not make any changes until you have verbally verified the request, using a number you have sourced yourself.
A CEO, executive or senior manager requests an urgent payment, or payment to a specific account.
Pause and verify. Always verbally confirm any requests for urgent payments or account changes, received via email, regardless of who the sender is.
A supplier or employee advises you they have not received payment.
Do not make any more payments until you investigate the payment history and emails, to check if there were any requests made to amend account details.
- Train your employees regularly on how to spot scams.
- Empower them to question any request and check details are correct.
- Use multifactor authentication and dual payment approvals where available.
- Always verbally confirm any requests for urgent payments.
Who should I contact and examples of business email compromise scams.
Priya in human resources received an email from Simon, saying he was having technical difficulties with the HR system and could she change his bank account details.
After the next pay day, Simon called HR and complained about not being paid. HR advised Simon his pay had gone to his new account, per his recent email request. Simon advised he had not changed accounts and had not sent an email to do so.
Further investigations determined HR had received an email from an email address that appeared the same as Simon's and they had processed the change without verbally confirming the request.
Steve noticed his most recent invoice from a regular wholesaler contained a note to pay to their new BSB and account number.
He did not question this as the invoice looked identical to all the others he had received. There was really nothing that made Steve question the request - it had come from the same email address and all the other invoice details (invoice number, amount etc) were all as expected.
When Steve received the next month’s invoice, he noticed it listed the last month’s balance as outstanding. Steve contacted his wholesaler and advised them he had paid it to the new account, as indicated on last month’s invoice.
After an investigation at the wholesalers, they found out their email account had been compromised a few months earlier and other customers had received similar emails.
Steve ended up out of pocket close to $45,000 as the original invoice still had to be paid.
Penny had been on the phone to her boss Tom, closing out final details before he boarded the plane for his family holiday. He had told Penny he would be switching off his work phone but would be available for her to contact him on his personal mobile, in an emergency.
Not long after, Penny received an email from him, advising he needed her to make an urgent payment. Penny didn’t recognise the account to be paid, and thought it was strange to receive this email from Tom, as they had finished their call just as the plane was about to leave.
Penny was hesitant to make the payment without speaking to Tom first, as they had a process in place to confirm any new details, after hearing about other business scams at a recent scam seminar their bank had put on.
She left a message on his personal phone to call her as soon as he got off the flight. Tom called back after landing and confirmed she did the right thing in waiting and checking, as he had not sent this request. By implementing scam education and empowering his employees to question email payment requests, Penny saved the business $83,000.
Things you should know
1. Delivery method percentages are based on the number of reports from 1 January 2020 to 31 October 2020. The data is sourced from the Australian Competition & Consumer Commission (ACCC) scam watch website and is based on reports provided to the ACCC by web form and over the phone.
*Examples are based on one or more real scam reports received by Westpac. For privacy purposes real names have not been used.