Potential cost of scams to your business

The threat of email scams for businesses is very real and it’s growing. According to the Australian Competition and Consumer Commission (ACCC), in 2022 Australians reported $224 million in losses attributed to business email compromise (also known as payment redirection scams). This is one of the scams causing the biggest impact to Australian businesses.

Based on the report from the  ACCC, opens in new window, the most financially damaging business email compromise scams involve invoices between businesses, suppliers or individuals being intercepted and amended with fraudulent banking details.

Types of email-based scams

Business Email Compromise (BEC)

Business email compromise occurs when an organisation’s email account is taken over by criminals to conduct fraudulent activities such as sending fake invoices, requesting updates to bank account details, or intercepting and altering inbound payment details.

Criminals often gain access to business email accounts by sending a phishing email which appears to come from a trusted organisation or contact. This email might request the recipient’s email account username and password or ask them to click on a link which downloads malicious software to their device. Often the email has been sent from a trusted contact who has had their own email account compromised. The other common way that username and password credentials are gathered is if they’re exposed through a data breach.

Invoice scams

In invoice scams, a business or individual receives an emailed invoice from a supplier whose email account has been compromised by a criminal. The criminal has been able to alter the payment details on the invoice to an account they control. As the invoice looks legitimate the recipient may not question the payment details and send the payment to the account controlled by the criminal.

Often the contact number on the invoice has also been altered.

Another variation of an invoice scam is when a business receives a request from a supplier to cancel a recent payment or update the bank account details held on file and is asked to make the payment to a new account.

Case study – Ben’s invoice scam

Watch the video of Ben’s story to learn how easy it is to be scammed by criminals targeting businesses, and the effect this has on real businesses. View Know the red flags of invoice scams video transcript (TXT, 2KB)

CEO scams

Also known as ‘CEO phishing’, a CEO scam is when an email appears to come from a senior person in a business such as a Chief Executive Officer (CEO) or Chief Financial Officer (CFO), requesting an urgent transfer of funds.

By making the email appear to come from a senior person, the criminals hope the recipient will action it quickly without verifying the request.

These emails may come from the real executive’s email account if it’s been compromised or from a very similar email address.

In this email example some of the red flags to look out for are the email address, which in this case is a Gmail account instead of the organisation’s email address. The CEO’s name is also misspelled.

Payroll Scams

Another type of email scam is the payroll scam, where the email account of an employee is imitated or compromised, and an email is sent to their employer requesting an update to their bank account details for their salary. Criminals are opportunistic and looking for people to act on messages being sent, so keep an eye out for urgent requests to update payroll details. These scams can also be carried out via a phone call, so having a validation process for each channel is recommended. Best practice is to verbally confirm over the phone (using a known phone number) or face to face.

How do email scams work?

Criminals target email communication as it’s a common way individuals and business exchange information. For criminals, email is a scalable way to target many people at one time but can also be used to target individuals in a spear-phishing attack.

Criminals want their messages to appear genuine, so they’re specifically created to trick the recipient into taking some sort of action.

These messages may be sent from:

  • a contact that you know but the request is unusual or requesting a change of account details or payment to a new bank account.
  • a simple email address such as ‘iamtheceo1@gmail.com’.
  • an email address very similar to the senior businessperson the criminal is impersonating, but with a slight variation which is easy to miss. For example, john@s1ight.com.au instead of john@slight.com.au.
  • what appears to be the correct email address, but when you reply, the email is sent to a different reply-to address.

Take these simple steps to protect your business

1. Empower your team

Your employees are the first line of defence against cyber-attacks. Teach them to recognise and know what to do with suspicious emails, text messages, and phone calls. Criminals try to convey authority by impersonating someone senior in your business or create panic by insisting a matter is urgent.

Empower your employees to trust their instincts and question emails, even if it appears to have come from someone senior. If an email request doesn't sound right, is unexpected, presses for urgent action, or has an unusual tone, staff should be encouraged to question it. No one knows their colleagues, clients and suppliers better than your team. You can always invite your team to join one of our free monthly cyber security webinars for business.

2. Raise awareness

Help your people understand more about the tricks and scams of fraudsters. If your business gets a CEO phishing email or fake invoice, share it around so your employees know what to look out for in the future. For handy tips and tools, check out raising employee awareness.

3. Create safe payment processes

It’s important that your business verifies payment requests or changes to payment details. Create a process that requires the receiver to check the requester’s email address carefully, and to call them to confirm the request using the contact details you have on file. This is especially important if payment details have changed, or if a request seems out of the ordinary.

Once confirmed via calling a known or publicly listed number, you can safely action payments or changes to account details.

4. Check your email settings

Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account. Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send. If they are empty, this can be a sign that evidence is being deleted.

5. Keep your software up-to-date

Cyber criminals always try new ways to outsmart anti-virus software. It’s vital you have the most up-to-date version. Set your anti-virus software to auto-update, so it’s always up to date. Keep your Apps on your computers and devices up to date, too.

To find out more about protecting your hardware and software, see the basics of computer security.

You can also take advantage of NAB’s offer for business customers for discounted ‘Cisco Umbrella’ security software.

6. Use strong passwords and multi-factor authentication

Using strong passwords and multi-factor authentication (MFA) will protect the security of your email account. MFA (sometimes also called two-factor authentication) means adding an extra layer of security by using an extra authentication method, such as a code sent to your mobile phone via SMS. This means that even if someone steals or guesses your password, they won’t be able to get into your account because they won’t have the MFA code.

Read about six simple ways to protect your passwords and multi-factor authentication for more details.

7. Review your business' online profile

Do an audit and limit the amount of publicly available information on your organisation’s websites and social media pages, such as LinkedIn. Focus on minimising the display of your employees’ contact details.

8. Talk to your Business Banker

If you’re a business customer using NAB Connect, ask your banker how to turn on features which can add extra layers of security to protect your funds. Consider turning on segregation of duties, which means one person can’t create and approve payments over a certain size or dual authorisation. An extra pair of eyes can be useful for spotting mistakes or fraud attempts.

9. Set up your PayID®

PayID gives business owners a powerful tool to help customers and business partners easily and safely transfer funds without the hassle of entering an account number and BSB. PayID is tied to your phone number, email address or ABN.

Using PayID can help reduce the risk of fraud or payments being sent to the wrong account as you can see the name of the person or business when paying. Consider setting up your official business PayID to streamline and secure your transfers. Read more about PayID for business.

10. Take advantage of the free small business cyber assessment tool and other offers

We’ve partnered with Microsoft to deliver a free cyber assessment tool, opens in new window to help your business determine and improve its cyber maturity. The free, tailored, self-assessment takes under two hours to complete and will provide a risk-based report to assist you to identify potential gaps and mitigate your risks. Also review other business offers from our partners that are accessible via the Security tab.

Helpful resources

If you’ve been scammed

If you’re a NAB customer and you believe your business has been impacted by fraud or a scam, contact us on 13 10 12 (for Internet Banking users) or the NAB Connect Client Centre on 1300 888 413.

Security advice, report a cyber crime or online incident

Visit Australian Cyber Security Centre, opens in new window.

Latest scams or report a scam

Visit Scamwatch, opens in new window.

To protect your business online

Visit our Security Hub.

Related articles

Important information

PayID® is a registered trademark of NPP Australia Limited.