- Business Security
- Fraud Prevention
- Email Safety
Learn how to protect your Australian business from email compromise scams. Discover the warning signs of fake invoices, hijacked accounts, and impersonation tactics that could cost you thousands.
The Growing Threat of Business Email Compromise in Australia
Business email compromise has emerged as one of the most prevalent and costly scams targeting Australian companies today. The scenario plays out with alarming frequency across the country: a business processes what appears to be a routine payment to a trusted supplier, only to discover later that the invoice was fraudulent, the banking details had been altered, and their money has vanished into the hands of sophisticated scammers.
According to James Roberts, a scams and fraud expert at CommBank, these attacks typically begin with a deceptively authentic email that appears to originate from a familiar source. The message might seem to come from a regular supplier, a senior executive within the organisation, or even the company's own financial controller. The level of detail and authenticity can be remarkably convincing, featuring accurate company logos, appropriate email signatures, and the correct tone and language that the impersonated party would typically use.
Understanding How Scammers Operate
Behind these convincing facades, criminals employ two primary tactics to execute business email compromise scams. The first involves hijacking legitimate email accounts through phishing attacks or malware, allowing scammers to send messages from genuine email addresses. The second method relies on creating nearly identical email addresses that closely mimic real ones, banking on the recipient not noticing subtle differences in spelling or domain names.
The financial impact of these scams can be devastating for businesses of all sizes. Individual incidents have cost Australian companies tens of thousands of dollars, with some larger operations losing significantly more. Beyond the immediate financial loss, businesses face additional costs related to investigation, potential legal issues, damaged supplier relationships, and the time required to recover from such incidents.
Critical Warning Signs to Watch For
Recognising the warning signs of business email compromise is essential for protecting your organisation. Several red flags should immediately trigger additional scrutiny before processing any payment or changing banking details. The first warning sign involves slight variations in email addresses. Scammers often create addresses that differ by just one character from legitimate ones, such as substituting the number zero for the letter O, or adding an extra letter that might go unnoticed during a quick glance.
Urgent requests represent another significant warning sign. Scammers frequently create artificial time pressure, claiming that immediate action is required to avoid penalties, secure discounts, or prevent service disruptions. This urgency is designed to bypass normal approval processes and encourage quick action without proper verification. Any communication requesting changes to established banking details should be treated with heightened suspicion, particularly if the request arrives via email rather than through previously established channels.
Instructions to circumvent standard approval procedures also warrant immediate attention. Legitimate suppliers and colleagues understand and respect established business processes. Messages suggesting that normal protocols should be skipped for convenience or speed often indicate fraudulent activity. Similarly, requests for confidentiality or instructions not to discuss the matter with other team members should raise immediate concerns.
Essential Prevention Strategies
Implementing robust verification procedures represents the most effective defence against business email compromise. The single most important step involves confirming any new or changed payment details through a phone call to a trusted contact. This phone call must use a number already on file within your organisation, never contact information provided in the suspicious email or on a potentially fraudulent invoice. This simple action serves as a critical checkpoint that can prevent scams before money changes hands.
Establishing clear internal protocols ensures consistent handling of financial transactions across your organisation. These protocols should require multiple approvals for significant payments, mandate verification of any banking detail changes regardless of the apparent source, and create clear escalation paths when unusual requests arise. Regular training helps ensure all staff members understand these procedures and recognise their importance in protecting company assets.
Email security measures provide an additional layer of protection. Implementing multi-factor authentication makes it significantly more difficult for scammers to hijack legitimate email accounts. Email filtering systems can identify and quarantine suspicious messages before they reach employee inboxes. Regular security updates and patches address vulnerabilities that criminals might exploit to gain access to company systems.
What to Do If You Suspect a Scam
When you encounter a potentially fraudulent email, taking immediate action can prevent financial loss and protect others. Stop all processing related to the suspicious request and do not make any payments or provide sensitive information until the matter has been thoroughly investigated. Contact the supposed sender using verified contact details from your existing records, never using information from the questionable email itself.
Document everything related to the suspicious communication. Save the original email with all headers intact, take screenshots of any related correspondence, and record the dates and times of all relevant events. This documentation proves invaluable if the matter requires reporting to authorities or if your organisation needs to pursue recovery options.
Report suspected scams to relevant authorities promptly. The Australian Cyber Security Centre accepts reports through their website, whilst the Australian Competition and Consumer Commission's Scamwatch provides another reporting avenue. If you have already transferred funds, contact your financial institution immediately as they may be able to halt the transaction or assist with recovery efforts.
Protecting your business from email compromise scams requires vigilance, clear processes, and a healthy scepticism towards unexpected financial requests. By implementing strong verification procedures, training your team to recognise warning signs, and maintaining robust security measures, you can significantly reduce your organisation's vulnerability to these increasingly sophisticated attacks. Remember that a brief phone call to verify unusual requests represents a small investment of time that could save your business thousands of dollars and considerable disruption.