ACCC Warns Business Payment Redirection Scams Costing Millions

The ACCC has issued a warning that business payment redirection scams are costing Australian businesses millions of dollars each year. 

The ACCC’s warning of payment redirection scams comes after Scamwatch reported more than $14 million had been lost, and so far in 2021, the number is five-times higher than the average from 2020. 

The ACCC says that “total losses are much higher as these scams are reported to a range of different organisations,” rather than primarily to Scamwatch. 

Get ISO 27001 – Information Security – Certification From Best Practice

In a payment redirection scam, otherwise known as a business email compromise scam, a scammer will impersonate an organisation that the victim is working with, and request via email that a due invoice or upcoming payment should be redirected to a new bank account. 

The payment that would otherwise be paid to a legitimate business is then redirected directly to the scammers, who can often profit multiple times from the same organisation.

These scams can take a number of forms, and can in some instances be incredibly sophisticated. In some cases, scammers may hack into an existing organisation’s email account, intercept legitimate invoices and edit the payment details to their own bank account number. 

The amended invoice is then redirected to the original recipient, where it is paid by the finance department. 

In other types of business email compromise, or payment redirection scams, a scammer will either hack, or replicate a similar email address as the CEO, and request a payment to be made.

These scams can also extend to employee salaries, whereby a scammer will impersonate a member of staff, request to have their salaries sent to a new bank account, which belongs to the scammer. 

In one case noted by Scamwatch, “a victim lost $16,500 in a single transaction after a scammer used a staff member’s email address to send an invoice to a customer with ‘updated bank details,’ redirecting the payment to the scammer’s personal bank account. 

The ACCC’s Deputy Chair, Delia Rickard has issued a statement saying that “payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities.” 

“Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors.” 

Rickard continued to explain that “we recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams.” 

The ACCC also says that “an increasing number of reports are coming from sports and community clubs which reported more than $55,000 in losses to payment redirection scams last year. It is likely we will see similar figures this year, with $18,000 already reported lost so far in 2021.” 

In those attacks, Scamwatch says that scammers impersonated the president or treasurer of a club, and for payments of equipment, requested money to be transferred to their own account. 

The ACCC’s Delia Rickard says that it’s important that you “don’t deviate from your organisation’s payment procedure, even if the request you have received appears to come from your CEO or a senior manager.” 

“If you have received a request that creates a sense of urgency, don’t rush. Take the time to consider and check whether an email is real, including by looking carefully at the sender’s email address, before acting on instructions,” she said. 

“Whenever there is a request to change payment details, always check with the organisation using stored contact details, rather than those requesting communication,” Rickard concluded. 

If you, or someone that you know has been impacted by a business email compromise or payment redirection scam, the ACCC is encouraging the public to contact its business reporting page


Related Stories From Our News Page 

Subscribe to our Newsletter


This field is for validation purposes and should be left unchanged.

Share This Post With Your Network

More To Discover