SCAM SPOT: Biller beware

Ben Young
12:00pm August 29 2024

Payment redirection scams - also known as business email compromise - happen when a recipient receives a legitimate looking email requesting a payment to new or updated account details. 

In many cases, it may be a payment that the target of the scam had expected to make, or came from a supplier they were familiar with. But the bank details had been altered to begin with – and that large sum has now gone to a scammer.

This scam is perpetrated against businesses but is also effective in targeting large one-off payments from individuals, such as paying a conveyancer a house deposit, or paying a builder for a renovation. 

In 2023, these scams saw Australian businesses and individuals lose a total of $92 million, according to the ACCC. 

So, how does it work?

In one version, a scammer gets into the email system of a business and makes changes to outgoing messages requesting payments. The letterhead is correct, the business name and email address remain the same, but it is a new BSB and account number – a trap has been set for the victim to pay them directly into the rogue account.  

In another version, the scammer does not even need to hack into the supplier’s email system. Instead, they send the recipient a new email from an address that looks very similar to that of the supplier. 

These are perhaps the hardest scams to spot since in many cases it’s a bill that the business or individual expected to pay anyway, and victims can lose millions in a single transaction.

If your bank has a service like Westpac Verify this will do background checks to give you much better certainty that you are paying who you think you are. But to avoid falling for the trap you should also always verify any banking information verbally when you receive requests for any new, urgent, re-directed payments. And ensure you verify through a phone number you have sourced yourself. 

Another option is to request to pay your suppliers using a PayID, which displays the registered payee name. So if it’s not the registered recipient, you will know. 

It’s important to remember that all electronic communication platforms can be hacked. Being aware that scams can come from seemingly trusted sources can save you a whole world of trouble.