Business Email Compromise Scam
What is a Business Email Compromise scam?
A business email compromise scam, commonly known as a BEC, is when a business receives a legitimate looking email, from a supplier or someone in their business, requesting an urgent payment, payment of an invoice to a new account or update of account details.
How they contact you
Via a compromised email account, which could belong to a customer, supplier or even your own email account. Or it could appear to come from a similar looking address. A conversation may even be initiated by SMS.
What they're after
Scammers are waiting for the opportunity to initiate or redirect large payments.
Signs this may be a business email compromise scam
You receive an email/invoice from someone associated with your business requesting you update their account number.
Do not make any changes until you have verbally verified the request, using a number you have sourced yourself.
A CEO, executive or senior manager requests an urgent payment, or payment to a specific account.
Pause and verify. Always verbally confirm any requests for urgent payments or account changes, received via email, regardless of who the sender is.
A supplier or employee advises you they have not received payment.
Do not make any more payments until you investigate the payment history and emails, to check if there were any requests made to amend account details.
- Train your employees regularly on how to spot scams.
- Empower them to question any request and check details are correct.
- Use multifactor authentication and dual payment approvals where available.
- Always verbally confirm any requests for urgent payments.
Who should I contact and examples of business email compromise scams
Priya in human resources received an email from Simon, saying he was having technical difficulties with the HR system and could she change his bank account details.
After the next pay day, Simon called HR and complained about not being paid. HR advised Simon his pay had gone to his new account, per his recent email request. Simon advised he had not changed accounts and had not sent an email to do so.
Further investigations determined HR had received an email from an email address that appeared the same as Simon's and they had processed the change without verbally confirming the request.
Steve noticed his most recent invoice from a regular wholesaler contained a note to pay to their new BSB and account number.
He did not question this as the invoice looked identical to all the others he had received. There was really nothing that made Steve question the request - it had come from the same email address and all the other invoice details (invoice number, amount etc) were all as expected.
When Steve received the next month’s invoice, he noticed it listed the last month’s balance as outstanding. Steve contacted his wholesaler and advised them he had paid it to the new account, as indicated on last month’s invoice.
After an investigation at the wholesalers, they found out their email account had been compromised a few months earlier and other customers had received similar emails.
Steve ended up out of pocket close to $45,000 as the original invoice still had to be paid.
Penny had been on the phone to her boss Tom, closing out final details before he boarded the plane for his family holiday. He had told Penny he would be switching off his work phone but would be available for her to contact him on his personal mobile, in an emergency.
Not long after, Penny received an email from him, advising he needed her to make an urgent payment. Penny didn’t recognise the account to be paid, and thought it was strange to receive this email from Tom, as they had finished their call just as the plane was about to leave.
Penny was hesitant to make the payment without speaking to Tom first, as they had a process in place to confirm any new details, after hearing about other business scams at a recent scam seminar their bank had put on.
She left a message on his personal phone to call her as soon as he got off the flight. Tom called back after landing and confirmed she did the right thing in waiting and checking, as he had not sent this request. By implementing scam education and empowering his employees to question email payment requests, Penny saved the business $83,000.
Watch our helpful step-by-step video
As a business you need to constantly be on the lookout for scams.
Business Email Compromise scam is one of the most common types.
It’s when criminals impersonate you or someone from your business or one of your suppliers using similar names, domains, or fake invoices.
The scammer might:
Pretend to be you, invoice a customer or a supplier, and have a payment made to their account details, rather than yours or,
Pretend to be a CEO or employee from another company to get a payment from you or,
Pretend to be an employee and have a salary payment redirected.
There’s a quick and easy way to make payments safer: Register for a PayID using your ABN. So, if a customer or supplier uses your PayID they’ll be able to verify it’s your business. PayID doesn’t replace your BSB and account number, it’s just a safer way to pay because your customers will be sure they are paying you and only you.
To set up PayID head to the Westpac app
Search for PayID
More information about how to create a PayID will appear on screen. Make sure you’re registered for Westpac Protect™ SMS Code or SecureID token and have an eligible account.
Your ABN and name will appear based on what we have on record.
You can select your ABN as your PayID type. This will mean that your PayID display name (or what will be returned to the customer) will be the legal name of your business, rather than its trading name.
Select the account you wish to add PayID to. As a sole trader you can register up to two different PayIDs if you two different business accounts and want one for each.
Then check the details and confirm you want to create a PayID.
PayID is now set up for your business!
Ask your existing customers or suppliers to use your PayID wherever possible.
And when paying someone new, protect yourself by asking them for their PayID (or BPay billing code).
For other ways to stay smart, safe, and secure from scammers visit the Westpac Security Hub.
Website link appears on screen - www.westpac.com.au/security
Things you should know
1. Delivery method percentages are based on the number of reports from 1 January 2020 to 31 October 2020. The data is sourced from the Australian Competition & Consumer Commission (ACCC) scam watch website and is based on reports provided to the ACCC by web form and over the phone.
*Examples are based on one or more real scam reports received by Westpac. For privacy purposes real names have not been used.