The Australian Securities and Investment Commission (ASIC) has warned small businesses to be alert for payment redirection scams. These scams typically involve scammers impersonating legitimate businesses or their employees and operate via email by requesting an upcoming payment be redirected to another bank account which is fraudulent.
In some cases, this may involve the actual hacking of legitimate business email accounts to send scam emails. Other methods fraudsters use to carry out payment redirection scams include intercepting legitimate invoices and amending bank details before releasing the email to the unsuspecting business customer and registering email addresses that are very similar to one from a legitimate business.
According to the most recent scams activity report from the Australian Competition and Consumer Commission (ACCC), redirection scams came only second to investment scams in terms of financial losses at $227m in 2021. This figure includes data from both individuals and businesses. Research also indicates that a third of scam victims do not make any reports, so the true cost of the scam is likely to be much higher.
However, just looking at the business population, payment redirection scams take the top spot as the scam that caused the highest losses. Small businesses had the highest median loss of $3,812 per business and overall lost a total of $3.5m. ACCC data also points to false billing scams which includes payment redirection reports as a concern.
Overall, for the 2021 income year, 3,624 reports were received by the ACCC Scamwatch program from businesses. Of the total $13.4m lost by businesses, $7m can be attributed to micro (0-4 staff) and small (5-19 staff) businesses.
While the most common contact method reported to ACCC for scams was by phone or text message, bank transfers continued to be the most common payment method for scams with $129m reported lost, up 32% compared with the 2020 income year, in which only $97m was reported as lost.
Small businesses should take immediate action if they have inadvertently fallen prey to a scam by contacting their financial institution to see if anything can be done to recover the money, and then reporting the scam to either Scamwatch or the Australian Cyber Security Centre. Financial institutions may be able to find out where the money was sent and block scam accounts. ASIC notes that businesses should also be aware of falling victim to a follow-up scam which may offer to recover your lost money for a fee (ie money recovery scams).
Money recovery scammers will usually target victims of previous scams with the promise of recovering lost money for an up-front payment and/or retrieving detailed personal information. They often contact previous victims uninvited and pose as trusted organisations such as a law firm, fraud taskforce, or a government agency. Some more sophisticated scams will have official looking websites with fake testimonials.
Once the previous victims are convinced of the scam’s authenticity, the scammers will ask the victims to fill out false paperwork or provide identity documents as well as a payment. In some cases, they may also request remote access to computers and smartphones. Another tactic that these money recovery scammers may use is to make contact and attempt to convince a target that they have unknowingly been involved in a scam and are entitled to compensation or a settlement refund.