What is a payment redirection scam?

A payment redirection scam (also known as Business Email Compromise or BEC) is when a criminal impersonates a business or its employees via an email and asks you to make a payment to an account the criminal controls. The email may be sent from a legitimate business email address that a criminal has accessed. In some instances, your email may have been compromised and a criminal is watching for payment-related emails. The criminals will then send you an email that appears very similar to one you may be expecting, but with the changed account details, in the hope that you will make the payment without checking the change in bank details.

How big is the problem?

The Australian Competition and Consumer Commission’s (ACCC) Targeting Scams Report, opens in new window indicated Australian businesses lost $227 million to payment redirection scams in 2021, a 77% increase compared to 2020.

A case study

Jeremy* had recently purchased his first home. He was ecstatic and had been communicating with the real estate agent and the conveyancer regularly via email. He knew he was due to pay the deposit and made sure he had the finances available.

Jeremy received an email advising that he had to pay the funds for the deposit to the conveyancer’s trust account. As Jeremy was expecting a similar email, he didn’t look at it closely and simply transferred the funds.

Not long after Jeremy made the transfer, he decided to call the conveyancer directly and check they’d received the funds. The conveyancer explained he had not sent Jeremy an email. Jeremy then looked closely at the email address and realised it was slightly different to the conveyancer’s. The scammer had created an email account that was very similar to the conveyancer’s but had substituted a “1” with an “i”.

*Name has been changed for privacy reasons.

How to help protect yourself from payment redirection scams and BEC emails

  • Protect your email account with Multi-Factor Authentication (MFA). This adds an extra authentication layer to your email account. Learn more about MFA.
  • If you receive an email or an invoice that highlights changed bank account details, always contact the business or person directly to confirm their details have changed. Contact them through their official channels and not the number included in the email as this could be the scammer’s contact number. A quick phone call can save thousands.
  • Consider using a PayID® and ask the person you are paying if they have one. A PayID helps you identify directly who you are transferring funds.
  • Learn how to identify phishing messages.

Important information

PayID® is a registered trademark of NPP Australia Limited.