Email Scams

Email scams are not new and unfortunately seem to proliferate across the business environment. Team awareness of what to be on the lookout for is a key defence to avoiding the social engineering traps the scams rely on for success.

This article is a simple reminder that we all need to be vigilant about scams so as not to fall victim to them.

If you need help or for advice or information about email scams, contact Dispute Resolution partner, Scott Eustace on eustaces@hickeylawyers.com.au.  Scott is an accredited specialist in commercial litigation and a nationally accredited mediator.

An example of how a common Scam Works

There are several variations on a scam, but the common element is that they utilise a façade which is  designed to result in their theft of monies.

One common business scam is that of the scammer pretending to be a supplier and requesting payment by invoice.

An example of this and some warning signs

  1. The supplier issues a seemingly legitimate invoice to the customer which includes details of the bank account to which payment may be made;
  2. The scammer hacks into the supplier’s server and then sends an email to the customer and advises that for some apparently legitimate reason (for example the supplier has changed banks) payment of the invoice ought to be made to a different bank account;
  3. The second account is the account of the scammer not the supplier.  The funds are taken out of the account by the scammer and often sent overseas;
  4. The scam is usually not discovered until the supplier chases the customer for payment of the invoice which the customer believes has been paid.  By this time it is too late to stop the payment to the scammer’s bank account, as the funds have been withdrawn from that bank account anyway and the scammer has moved on.
  5. It then needs to be determined as to where the loss falls as between the supplier and the customer.

A request to change bank account details should be seen as a large red flag with the customer checking legitimacy of same by phoning the supplier, before processing any change to any bank account.

Another variation of the scam is where the scammer accesses the supplier’s server.  The scammer reviews the supplier’s email traffic and other communications and documents to identify customers of the supplier.  The scammer then sends a fake invoice, from the supplier’s server, with the scammer’s bank account as the place for payment.  In this instance, the supplier does not chase payment because they did not issue an invoice and so the scam may remain undetected for quite some time.

The email will have the appearance of being from the supplier.  The supplier’s logo, for example, will be copied.  The email may include links to websites that are, on their face, convincing fakes of the supplier’s website.

More sophisticated scammers will disguise their email address or create a new email address that is almost identical to the supplier’s email address.

Steps You Can Take to Protect Yourself

Effective internal processes can significantly reduce the loss to such scams.  Clearly defined processes of which your staff are aware for verifying and paying invoices are essential.

It is not only important for your staff to be aware of your processes, but that they also be aware of this type of scam so they are alert to it and why you have these processes.

If you receive an email attaching an invoice:

  1. Check that the goods or services were in fact supplied by the supplier (this might assist to detect the second variation of the scam referred to above).
  2. Check carefully the email address from which the email is sent.
  3. Check the content of the email.  These emails are often marked “urgent” or “confidential” to create a degree of urgency or encourage the recipient not to follow their usual processes.  The language or formatting of the email may not be consistent with earlier emails.  Also bear in mind the email may look legitimate, many scammers are very sophisticated and can create exceptionally good reproductions.
  4. Probably most importantly, do not transfer funds to a bank account referred to in an email unless you have verbally confirmed the bank account details.  For the purpose of confirming bank account details verbally, phone the supplier using the phone number of the supplier which you have on your system (or you otherwise confirm independently), not the number listed on the counterfeit email.
  5. Do not verify account details via email.  You may be asking the scammer to confirm their own bank account details!
  6. Keep your computer security up-to-date and check your IT system for viruses or malware.

As a firm we have a policy that we will not transfer funds to a bank account without first confirming bank account details verbally or by some independent means.

At the foot of our emails, we include the following notation:

Your security matters to us.  Where you receive any unexpected communication (from us or someone else) requesting you to transfer or deposit money, we suggest that you contact the person making the request or our office by telephone (not email), to confirm the authenticity of the request.

Many businesses have a similar notation and this is something you may wish to consider.

What To Do If You Have Been a Victim of an Email Scam

If you believe you have been the victim of an email scam:

  1. Contact your bank;
  2. Contact your customer/supplier;
  3. Contact us.

For advice or information about email scams, contact Dispute Resolution partner, Scott Eustace on eustaces@hickeylawyers.com.au.