Email Payment Scams: How to Spot and Prevent BEC Fraud

Email payment scams are costing Australian businesses tens of thousands of dollars every year.

Could your business be the next target?

When you or your staff are paying an invoice, how do you know you are paying to the right account?  Can you be sure that the sender’s email hasn’t been compromised?

Email Payment Scams, or Business Email Compromise (BEC), are one of the most reported cyber crimes in Australia. For small business the loss can be devastating, but with the right wawreness and procedures, you can significantly reduce the risk. 

What is Business Email Compromise (BEC)

BEC is the practice of using email to scam people and businesses out of money or information.  This can be either through ‘spoofing’ an email address to look legitimate or actually compromising a business’s email to send fraudulent invoices or requests for information. 

These scams are evolving and becoming more and more sophisticated each year.

Common Types of Email Payment Scams 

Invoice Fraud or Supplier Payment Scams

A supplier’s email account may be compromised and you may receive an email admvising of a ‘new bank account’. Or a hacker may change the account number on a legitimate invoice before it reaches you.

When I worked in banking I saw both sides. Some businesses spotted the scam in time, while others unknowingly sent thousands of dollars to a fraudster’s account - money that could not be recovered.

These scams can look very real, complete with legitimate branding and attachements from previous email chains. 

Employee Impersonation

Scammers also impersonate staff members. They will will go so far as to monitor their target’s movements via social media.  When they see someone is away they will send an ‘urgent’ or ‘confidential’ request along the lines of
‘I’m stuck at this conference and can’t get to my computer to approve this invoice but it’s urgent, can you please pay it immediately’.

Because it feels time sensitive and personal, employees may act before verifiying.

How to Prevent BEC Scams

Human error is the biggest risk when it comes to cyber crime.

Ongoing awareness and training are your first line of defence.

• Train staff regularly - don’t rely on one-off training.

• Use strong, unique passwords and Mulit-Factor Authentication (MFA)

• Install spam fiters, antivirus and firewalls.

• Always verify supplier details independently (never rely on contact info in the suspicious email).

• Treat supplier bank account changes with caution - confirm by phone.

• Document payment proceudres with clear authorisations and dual approvals.

Real Life Example: How Awareness Saved Me from a Scam!

Recently I received a Request for Proposal rom a company I usually source equipment from. The email was beautifully branded and well written and as someone with a business who is always looking for opportunities it really piqued my interest. 

I hovered over the link, about to click, but something didn’t feel right, the awareness drilled into me over years and years working in finance kicked in and I got suspicious.

I deleted the email and sent a courtesy note to the supplier letting them know what I had received and either it was sent in error or they had been compromised.  Half an hour later, an email from the company confirming they had been breached was issued.  Thank goodness that training kicked in. 

Final Takeaway: Protecting Your Business

The prevention strategies here may seem simple, but they’re powerful when applied consisteinly. A clear process, regular awareness and cautious mindset can make all the difference and prevent costly mistakes.

Check out our free Cyber Security Checklist to help review your organisation’s Cyber Resilience.

Cyber Wardens also provide free online training for small business and not for profits.