Online frauds and email scams aren’t new, but scammers and criminals are inventive and relentless at finding new ways to defraud people through phishing, identity theft, hacking and catfishing which leads to financial loss. According to ACCC’s Scamwatch, in 2020, $176m was lost to scams in Australia.
One example is e-mail spoofing: a technique used to trick users into thinking a message came from a person they either know or can trust. It is often done in conjunction with spyware/malware having been installed by a hacker to monitor activity and intercept emails.
In spoofing attacks, the sender forges email headers so that the fraudulent sender address displays, which you might then take at face value because you were expecting it and you don’t check the email address itself; if you do check it, it might be so similar to the email address you are already familiar with, you don’t pick up it isn’t the same. This is particularly an issue with emails on smaller smartphones email apps because commonly there is only space for a display name.
For example, you might be accustomed to receiving emails from the admin officer at a business called “XYZ Business” who uses firstname.lastname@example.org. You receive an email attaching an invoice you were expecting where the email displays the email as having been received from Admin XYZ Business but on checking the underlying email address, you find it has been sent by email@example.com. Can you spot the subtle difference? That’s email spoofing.
Email spoofing is often used by a fraudster who intervenes in email correspondence between 2 parties, to commit payment redirection fraud (or business email compromise) where an upcoming payment is redirected to a fraudulent bank account.
As settlements of property are now conducted through electronic conveyancing online, this can involve large amounts of money. Payment redirection fraud can be financially devastating for people and businesses.
Australian banks are not required to, and do not, use the account name for an on-line payment, and do not check the account name matches the BSB and account number. On-line transfers only rely on the BSB and account number.
What should you do if you are defrauded through an email scam?
- Act urgently by reporting it to the police and your bank
- Lodge a fraud report with the Australian Cyber Security Centre
- Urgently seek legal advice. If you act quickly, it might be possible to approach the Court to freeze a bank account into which you transferred the money, before the money can be moved out of the jurisdiction
- Legal advice can identify if you can make a claim in negligence or contract against the person or business that had its email/invoice compromised e.g. for failing to implement cyber security measures which facilitated the fraud or identify whether a cyber-risk insurance policy might apply
- Use strong passwords (a minimum 8 characters with lower and upper case letters, numerals and special characters)
- Keep software up to date to help prevent cyber attackers compromising your email account
- Install a process of multi factor authentication
- Do not click on unsafe hyperlinks or open attachments which might introduce malware to your computer
- Do not enter own computer user-name and password to unlock a purportedly secure document from a third party
- Always pick up the phone to confirm any payment and bank details over the telephone and do not rely on the contact details provided in the email itself. Use your own records or look up contact information on the internet
- Consider making a small test payment and confirm by telephone it has been received, before transferring a larger sum. Immediately let the business know you have transferred any money and ask for confirmation of receipt
How we can help?
Samantha Peterson, Partner, has experience in dealing with email scams and frauds and applications to the Supreme Court for freezing orders. Samantha has successfully recovered compensation arising out of a payment redirection fraud.
If you would like more information, please contact Samantha on (02) 9229 2222.