Business email compromise is on the rise. It’s one of the leading causes of financial loss due to fraud in Australia, and business owners cannot afford complacency according to Macquarie Banking and Financial Services Associate Director - Jonathan Martin.
“People trust too easily. You need to look at the details – even if an email looks and sounds familiar,” he told the audience at Macquarie Bank’s recent breakfast briefing on fraud awareness.
It’s advice worth heeding.
Scamwatch reports more than $5.5 million was lost to false billing or invoice scams in 2018. So how can you protect your business? Here are some common red flags to look out for.
- Changes to bank account details for regular clients or suppliers
- Payment urgency
- Request out of usual business hours
- Unusual terms, like ‘wire transfer’
- Vague payment purpose
- Unusually large sums of money.
It’s important to set up processes to handle these types of requests. Jonathan suggests steps should include:
- Ensure everyone in the business is aware of these fraud red flags and escalation points
- Segregate duties, so different people are responsible for requesting and authorising payments
- Obtain verbal confirmation if:
- payment instructions are received via email
- there is a request to change payment details, or
- if payment is requested outside of usual business.
“The telephone is one of the best anti-fraud tools we have. Please use it,” Jonathan emphasises.
Beyond fake invoice scams, businesses of all sizes can be vulnerable to malware and ransomware. “Malware is malicious software that can be downloaded inadvertently if an email attachment is opened or a link is clicked,” explains Jonathan. This is one way that malware can compromise a device. Some malware (worms) can spread through a network; some malware can pose as legitimate software.
Scammers then have access to your computer and could freeze your systems while files are encrypted. A payment demand may follow, which is called ransomware. Other demands such as banking malware may interfere with payments.
Look out for these warning signs before you click through:
- Does the sender have a webmail email address (such as Hotmail) rather than a business one?
- Is it addressed to ‘Dear Customer’ rather than your name?
- Does the email ask for more information than the sender would need (such as a driver’s licence number)?
- Does it include a very strong request for action involving clicking a link?
Your bank will never ask you for confidential information via email, like your PIN or date of birth. And even if a link looks like a website you trust, it’s safer to visit the website, independent of the email.
“Typically, people think these things will happen to others and not them. It’s only when it does happen that it really hits home – and this can be a costly lesson for the business,” says Jonathan.
If you think you’ve been the victim of fraud, contact your bank straight away. Every day that you don’t report your suspicions lowers the chance of recovery.