The Australian Federal Police is urging businesses and individuals to be alert to the threat of compromised emails, warning that financial losses from such scams have totalled more than $79-million in the past 12 months.
Business email compromise, often known as BEC, is a particular concern as many organisations return to remote working because of Covid restrictions in various parts of the country.
BEC is a persistent threat worldwide, the AFP said, and the impact on victims can be significant.
Aim is to redirect legitimate fund transfers to alternative accounts
Such frauds typically seek to redirect legitimate fund transfers to alternative accounts. Most commonly, offenders will intercept legitimate emails or invoices from known transaction partners – such as between two companies that do business regularly or an individual that often transacts with a company – and change banking details to include fraudulent payment information.
The victim will then unsuspectingly transfer funds to the offender. BEC often goes unnoticed until the intended recipient of the funds enquires about the missing payment, or the victim becomes aware that the funds have been deposited incorrectly.
So common has the threat become in Australia that in January last year various enforcement agencies formed the BEC Task Force that includes, among others, the AFP, state police forces and the Australian Cyber Security Centre.
Over the past 12 months, more than 3,300 incidents have been reported, with nearly half of those scams resulting in financial loss, the AFP said in a statement released on Saturday. However, the task force had prevented an additional $8.45-million from being stolen.
One Australian business was targeted for more than $2,7-million
“In one case in September 2020, the task force assisted an Australian business which was compromised when offenders, who claimed to be staff, sent internal invoice emails to the company’s finance [department], but with altered bank details,” police said.
“The business processed two payments within a few days – transferring $519,000 and then $2,2-million to a Singaporean bank account. The [email fraud] was discovered after the second transfer. The affected business immediately reported the matter to NSW Police … who then notified the AFP to intercept the transferred funds.”
“If you think an email is suspicious, make further enquiries. Call and check directly with the business or organisation you are dealing with. It is reasonable to ask questions to protect yourself or your company,” Commander Chris Goldsmid of the AFP’s Cybercrime Operations said.
