$65,000 Invoice Scam Highlights New Trend Exploiting Organisations
The ease in which hackers targeted an Australian car dealership with a $65,000 invoice scam highlights just how essential it is to stay atop of cyber crime.
A Perth-based car dealership has lost $65,000 after being struck by an invoice payment scam that saw it unknowingly transferring funds directly to the scammers.
According to reports, the dealer in question had purchased something from a supplier, who later sent an invoice to the dealership with the correct financial information. The dealership soon received a follow-up email from the supplier, requesting that payment be made to a different bank account to the one originally supplied.
Commerce Western Australia says that the dealership asked the change in details be made on the company’s official letterhead, which was supplied without problem by the third-party. In accordance to the dealer’s procedures, an attempt at verbal confirmation was made, but the contact information supplied wasn’t working.
According to Commerce WA, “the payment was made regardless” and “the scam wasn’t detected until the real supplier later queried the non-payment of the invoice.”
Commissioner for Consumer Protection, David Hilyard, says that scammers are always looking to target businesses that are dealing in large-sum figures like a car dealership and real estate agencies.
“All businesses need to be alert to attempts by scammers to intercept payments that flow to and from their accounts and ensure their email accounts and computer systems have security software to reduce the likelihood of becoming a victim of hacking,” Hilyard said.
A Rising Trend
The Perth-based dealership we're reporting on today is one relatively small drop in a large - and growing - bucket of invoice fraud that the ACCC is monitoring closely. For the month of July, 2019 alone there were:
-954 reports of false billing scams.
-18% of these scams resulting in financial loss for Australian organisations.
- $1,403,328 lost as a result.
The following screenshot puts it in the context of the seven-month span of 2019, which shows that on average, these scams are a problem that isn't going away. Cybercriminals realise the potential for success in this area, as busy organisations with hundreds, if not thousands of clients in their database will often sacrifice due diligence in the interest of expedited payment or satisfying a customer's request. In the seven months of data that the ACCC has on its website, the cost so far to Australian businesses in false billing scams amounts to 6,546 reports, of which 16.3% resulted in financial losses to just under $6-million.
David Hilyard continued to explain that organisations of all sizes should “closely scrutinise all invoices and query any changes to ensure that the payments are going to correct accounts. Get a verbal confirmation of email requests to change the bank account details of suppliers and clients and ensure all staff members are aware of the anti-fraud procedures and the importance of adhering to them without exception.”
“Sometimes the accounts staff will get a fake email purporting to be from the business manager requesting an urgent payment be made to a particular bank account belonging to scammers. If a request seems unusual or stranger, query it and confirm it before paying.”
“The real estate industry has been targeted in the past with huge losses suffered, so now motor vehicle dealers need to be vigilant as scammers will use this recent success to make further attempts to steal money from other business operators,” Hilyard concluded.
Commerce Western Australia has listed steps for organisations to utilise and help manage the risk of being defrauded, including:
-The use of a business grade, hosted email service that includes quality filtering to block dangerous emails, spam, phishing and malicious content or attachments.
-Regularly check sent and deleted folders, as well as bank accounts for unusual activity.
-When responding to emails, use the forward button instead of reply, and manually type or select the address from your address book. This helps to ensure you’re in communication with the right person, and not an imposter’s account.
-If an attachment comes in an unusual format, or the email asks you to follow a link to a file hosting site, this is a red flag. If the sender is known to you- call them and check before opening.
-Delete spam immediately.
-Offer staff regular cyber security training, as well as fraud protecting training; consider having your system’s security reviewed by a third-party.
-Report unusual emails.