Be alert for impersonators of third-party suppliers
Fraudsters posing as CEOs or third-party suppliers have cost Western Australian businesses and not-for-profit organisations more than $2 million in the last two years, prompting a warning about payment redirection scams, otherwise known as ‘man in the middle scams’.Alarm bells should ring if a supplier of services or goods contacts your organisation to provide new bank account details for you to pay them.
Your staff should be urged to check any unusual requests from suppliers by using their known contact details, rather than via any email addresses or phone numbers included in the message.
How the scam works
- Scammers research the target organisation and its suppliers. This research may involve phone calls to the organisation asking for the name of staff members involved with finance or payment of invoices.
- They may also send emails with links to ‘phish’ for information, install spyware on the recipient’s computer or infiltrate their wider network.
- The scammers then pretend to be a supplier who has carried out work or provided products for the organisation.
- They ask for a change to the payment process and supply alternative bank account details for the money to be transferred to. The new account actually belongs to the scammers.
How to protect yourself
- If you receive a phone call, email or letter from a supplier seeking a change to the bank account details you use to pay them, be suspicious!
- Call the sender to confirm the authenticity of the request and the account details. Use previously known contact numbers or the correct, verified number from the supplier’s website. It is vitally important not to use contact details contained in the email or letter as they may be fake and put you in touch with the scammers instead of the supplier.
- When responding to emails, use the forward button instead of reply, and manually type or select the address from your address book. This will help you make sure you are communicating with a known contact.
- A BSB search, which can easily be done online, will reveal details about a bank account you have been asked to send to.
- The account name you type in when transferring money has no bearing on the transaction, which is based on the account numbers only.
If your business has been affected
Successful fraud attempts - in which money has been transferred or lost - should be reported to WA Police Major Fraud Squad on 131 444 as soon as possible.
If you were targeted but did not send any money, report the matter to WA ScamNet so the information provided can be noted for future warnings. WA ScamNet may also refer details to the police.
Make sure you alert the genuine supplier and your own staff about the attempted fraud.
You are also strongly encouraged to run a virus scan on any computer that has received scam email.
Real stories reported to WA ScamNet
December 2019 - $5,200 loss
A payment interception or “man in the middle” scam led to a Yangebup association paying $5,200 - meant for suppliers who had provided services for a Carols by Candlelight event - into the wrong bank accounts. The association’s email account had been hacked and the scammers diverted invoices as they arrived. The scammers then doctored the invoices by altering the bank account details and put the fake invoices in the email inbox as though they had come from the genuine suppliers. The association made payments to the scammers’ bank accounts and only released when the real suppliers got in touch to say they hadn’t been paid. See 7 News Perth coverage of the scam.
September 2018 - $65,000 loss
A Perth motor vehicle dealership lost $65,000 after being stung by a ‘man in the middle’ scam involving the payment of an invoice to a bank account that had been changed. After making a purchase from a supplier the dealership received an invoice with correct bank details. A week later an email request, sent by scammers, was received asking to direct the funds to a new bank account. The dealership asked that the request be made on company letterhead which was supplied. An unsuccessful attempt was made to get a verbal confirmation of the change and the payment was made regardless. The scam wasn’t detected until the real supplier later queried the non-payment of the invoice. See full media statement Perth car dealer loses $65,000 to an invoice payment scam on the DMIRS website.
Scam attempt interrupted
An architecture business reported that a client had advised them of a phone call and follow up letter from a scammer claiming to be from the architecture business. The email address given was a slight variation of the true email address; it had a hyphen and ended in dot com rather than dot com dot au but other than that it was identical.
Scam email address: Xyz-australia.com Real email address: Xyzaustralia.com.au
Business called to report identity theft after a client received an amended invoice where the bank details for payment had changed. The client made payment to the scammers (via an Australian bank account) and was refusing to pay the real business money owed. A computer technician found the email account of the business had been hacked.
$3,700 scam attempt interrupted
Scammers posed as the President of an Association having ascertained the person was away and communicating electronically. They used a spoofed version of the President’s email address that looked the same but replied to the scammers. The scam email asked the Treasurer to organise a $3,700 payment that sounded like a normal arrangement, except unbeknownst to the Treasurer, the bank account details were for an account belonging to the offenders. Instead of hitting reply, the Treasurer typed the email address for the President in the ‘To’ box. This broke the communication with the scammers and meant the Treasurer sent an email to the President’s true account. The President didn’t know what payment the Treasurer was talking about. At this point they realised there was a hack of the email accounts.
$15,000 scam attempt interrupted
The Treasurer at a not-for-profit received an email from a team member seeking urgent payment of an invoice for $15,000. The attachment was an exact copy of a usual invoice and the only change was the bank account details. The Treasurer phoned the team member to discuss the payment only to find the team member had not sent the email.