A Guide to Business Email Compromise scams and how to protect yourself
Business email compromise scams are an elaborate scheme costing Australian businesses $17 million in 2021. You might receive an email, text, or phone call from someone pretending to be one of your suppliers advising you that their billing information has changed. They will tell you that they recently switched banks and provide a new bank account number and BSB. Cleverly, the scammers will also replicate letterheads, logos, and company branding to appear legitimate.
Even to savvy business owners, this might appear as business as usual.
The challenging reality with business email compromise scams is that no one is aware they are a victim until after it has already happened. A supplier will ask you, sooner or later, why they are yet to receive payment, and only then will it occur that you have been a victim of this malicious scam.
Four warning signs of business email compromise
1. Change in bank account details
The first and most common red flag is the change in bank account details. Treat any email you receive advising of a change in your supplier's payment details with suspicion.
2. Change in grammar, quality of branding, letterheads and logos
Change in grammar, branding quality, letterheads and logos indicate that the scammer is trying to make the email look as legitimate as possible. Sometimes this cannot be 100% achieved without the original template, so a scammer will have to resort to lower quality. In some cases, however, the email can look identical.
3. Email received outside of an existing email thread
It is common to have an email thread between you and your regular supplier around organising payment. If you receive an email advising of bank detail changes outside your existing email thread, that should also raise suspicions.
4. Different email address
In some cases, the scammer might change one letter in the email address to something else, for example, email@example.com to firstname.lastname@example.org.
Ultimately any email advising you of updated bank account details should be treated with the utmost caution.
What to do if you receive an email advising of updated bank account details
- Do not respond to the email. In most cases, the hackers have an elaborate method of masking their actual email with your supplier’s email. It is very likely that if you do respond, your regular supplier will not receive the email.
- Follow up with a known, trusted contact from your supplier, either via a new email addressed to them or a phone call. They will be able to verify the changes.
- Lastly, if you suspect that you may potentially be a victim of a business email scam, report the email to the ACCC.
How to protect yourself
- Understand the warning signs and remain vigilant.
- Stay up to date with the latest scams by regularly checking Scamwatch
- Consider a multi-person approval process for payments over a certain threshold with a known, trusted individual from your supplier.
- Stay up to date with the latest cyber security software to protect your personal information.