Scams Awareness Week runs from 26-30 August 2024, and it’s a timely reminder to protect your business against invoice fraud.
When you mention the word ‘scam’, many Australians think of the impact to consumers, however, the small business community, including brokers, is certainly not immune from online crooks. Small businesses (0-19 employees) reported 967 scam reports and accounted for 2.9% of losses[1].
“Small businesses accounted for 2.9% of losses”
This year’s Scams Awareness Week, spearheaded by the Federal Government’s Scamwatch, highlights the theme “Share a Story, Stop a Scam.” The campaign encourages individuals and businesses to take an active role in scam prevention by sharing their experiences, which can also be highly beneficial for those who report.
Between 1 January and 30 June 2024, Scamwatch received 143,106 reports, with 92.9% of those who reported experiencing no financial loss[2]. Also, the contributions of those who chose to report a scam were vital in aiding scam disruption efforts and the issuing of warnings. By sharing their stories, they helped others identify and avoid scams, including the increasingly sophisticated “payment redirection scams.”
“Redirection scams ranked among Australia’s top five scams for losses”
In 2023, payment redirection scams ranked among Australia’s top five scams for losses, collectively costing businesses $91.6 million[3]. This figure may be the tip of the iceberg, as it’s estimated that one in three victims do not report a scam[4].
Let’s look at a key threat facing small businesses, and what you can do to protect your enterprise and avoid becoming a scammer’s next victim.
Payment redirection scams
Payment redirection scams are one of the leading cyber threats for small businesses.
Generally, the scam begins with a cybercriminal accessing your business emails and then they wait for an invoice to be sent to a customer. They then intercept the message and change the payee account details that appear on the invoice, to their own, so that a customer ultimately pays money into the scammers bank account, rather than your business account.
Contrarily, these scams not only fleece your customers, they can also leave your business out of pocket and cause significant reputational damage to your brand, hence, the importance of having measures in place to protect your business and customers from potential fraud and scams.
“Email is a common target for cybercriminal activity”
The Australian Cyber Security Centre[5] (ACSC) says email is a common target for cybercriminal activity. The fact is, once someone gains unauthorised access to your email account, they have access to all your private business communications. This allows the criminals to impersonate your business by using compromised email accounts, or using a domain name that looks like your business’s web address.
Protective measures are simple and cost-effective
Fortunately, there are easy, low cost ways to protect your enterprise. Here are three steps you could consider:
1. Use multi-factor authentication
The ACSC advises that multi-factor authentication increases the security of your email account. It involves using two identity checks before you can access your emails.
For example, you may need to supply an authentication code as well as a password, which makes it a lot harder for someone to hack your business emails.
If you cannot, or choose not to, use multi-factor authentication, be sure to have strong passwords in place. Amazingly, some of the most commonly used passwords are ‘123456’, ‘password’ and ‘admin’[6]. Not surprisingly, it can take hackers less than a second to crack the code.
2. Protect your domain name
Your ‘domain name’ refers to the series of characters, usually words, that follow the “@” symbol in your email address. For example, in “john@johnsplumbing.com.au” the domain name is johnsplumbing.com.au.
“Scammers could pay for your domain name and use it to impersonate you or your business”
This domain name identifies your business online, however, if your domain name expires, it will become available to anyone who pays to use it. Seen through this lens it is easier to grasp how a scammers could pay for your domain name and use it to impersonate you or your business.
The ACSC recommends ensuring domain names are regularly renewed – even those you don’t use anymore. It’s an extra layer of protection for your enterprise’s online identity.
You should also be selective about where you post your work email address, as it can be an easy target for thieves to impersonate you.
3. Have effective security policies in place
Payment redirection scams work both ways. Correspondingly, your own business could receive an invoice that appears to be from a regular supplier, when in fact it’s a fake sent by a cybercriminal.
“Your own business could receive a fake invoice”
Introducing a few payment policies, backed up by staff support and training, could help keep your business secure from scams.
You may want to:
a) Implement a system requiring you or your staff to phone a supplier if you receive a request to change payment details or make a large transfer. Additionally, you should use a verified phone number (not the number provided in the request) to verbally confirm any such request or change.
b) Ensure you or your accounts payable team think critically before actioning unusual or unexpected requests. Encourage your team to speak to you if there is any doubt about a payment request.
c) Introduce regular cyber security updates and training for you and your staff, as this can be your best defence against email scams.
#ShareAScamStory
How to share a story
Scams Awareness Week encourages us to share our experiences about frauds such as payment redirection scams, and other stings to help others steer clear of similar traps.
Post a photo, video, or text on your social media profiles about a time you avoided or encountered a scam, using the hashtag #ShareAScamStory.
You can also share the governments #ScamsWeek24 campaign asset or share this article directly with your own customers to generate more awareness.
Get help
For support on how to keep your details secure when transacting with OnDeck, or if you’re an OnDeck partner or customer and believe you have fallen victim to a scam or fraud, please report it to us immediately – call 1800 676 652 or email customersupport@ondeck.com.au.
[1] https://www.scamwatch.gov.au/system/files/scams-awareness-week-2024-key-statistics_0.pdf
[2] https://www.scamwatch.gov.au/system/files/scams-awareness-week-2024-key-statistics_0.pdf
[3] https://www.accc.gov.au/system/files/targeting-scams-report-activity-2023.pdf
[4] https://www.accc.gov.au/system/files/targeting-scams-report-activity-2023.pdf
[5] https://www.cyber.gov.au/protect-yourself/securing-your-email/email-security/preventing-business-email-compromise
[6] https://www.weforum.org/agenda/2024/07/popular-passwords-cybercrime-digital-safety/
Important: This information has been prepared by OnDeck Capital Australia Pty Ltd ABN 28 603 753 215 (“OnDeck”) for general information purposes only and does not constitute financial advise. Content may belong to or have originated from third parties and OnDeck takes no responsibility for the accuracy, validity, reliability or completeness of any information. Please consult with a qualified financial advisor for advice specific to your situation.
