Commissioner's Blog: Beware the man in the middle
With Commissioner for Consumer Protection Lanie Chopping
When it comes to email scams, many of us think of unsolicited and badly-spelt requests for money landing in our inboxes from dodgy email accounts.
But the reality is that email scams are now so sophisticated and believable they’re almost impossible to tell apart from the real thing.
One such ruse is the payment redirection or ‘man in the middle’ scam, which involves a scammer pretending to be a legitimate company seeking payment to a bank account they control.
The scammer will secretly hack into your computer, or that of the business you’re dealing with, and either alter bank details on an invoice or send a separate email saying they have recently changed bank accounts. Sometimes the fake invoice will come from the company’s own email address (if it has been hacked), or from an address with a slight variation.
Often you won’t realise you’ve been scammed until the genuine business starts chasing you for the money owed – and by then it is usually too late to recoup the funds.
It’s a simple scam, but the consequences can be disastrous for individuals and businesses. Payment redirection scams tricked West Australians out of $1.3 million in 2019, up 400% from the previous year.
Last year, a Yangebup association paid $5200 – meant for suppliers who had provided services to a Carols by Candlelight event – into the wrong bank accounts, after a scammer hacked into their email account, changing the rules to divert invoices as they arrived. After altering the bank details, the invoices were then put back into the association’s inbox to appear as though they came from the genuine suppliers.
It’s important to stay vigilant to protect yourself. Check your email account rules regularly, and be suspicious if you receive correspondence from a company seeking to change bank account details. Use the correct, verified phone number from the company’s website to confirm if the request is legitimate, or if emailing directly, type the known email address in the ‘to’ section, rather than replying to a received email.
If you notice any changes to invoices and banking details, report this to WA ScamNet, and contact your bank as soon as possible if you paid money into an incorrect bank account.
Also alert the other party about the scam, change passwords and perform a virus scan on any computer that may have received a suspicious email.
Share this page: