Commissioner's Blog: Don’t let scammers come between you and a payee
With Acting Commissioner for Consumer Protection David Hillyard
Scammers are carrying out research into people at various organisations and either hacking computers or impersonating email accounts in a fraud known as a ‘man in the middle’ attack.
Consumer Protection and WA Police Major Fraud Squad warn anyone making payments to third parties to be aware of the increased frequency in attempts to intercept money.
Western Australian commercial businesses and not-for-profits have lost at least $500,000 over the last two years, according to reports made to WA ScamNet at Consumer Protection. In Queensland, Brisbane City Council lost $450,000 to this type of scam.
These attacks are sophisticated and may involve:
- internet research into your organisation and any goods or service suppliers used;
- convincing phone calls to find out who deals with finance matters; and
- emails containing links or attachments that when opened download ‘spyware’, giving the offenders access to information on computers or mobile devices.
How to avoid being scammed
- Verify ANY payment requests received via email from people within the organisation and third party suppliers. Ideally the conversation should be taken off email and a known person spoken to on the phone or in person.
- Run a virus scan on any computer that has received a suspicious email.
In some recent reports the targets realised before it was too late. You can learn from them.
- Scammers posed as the President of an Association having ascertained the person was away and communicating electronically. They used a spoofed version of the President’s email address that looked the same but replied to the scammers.
- The scam email asked the Treasurer to organise a $3,700 payment that sounded like a normal arrangement, except unbeknownst to the Treasurer, the bank account details were for an account belonging to the offenders.
- Instead of hitting reply, the Treasurer typed the email address for the President in the ‘To’ box. This broke the communication with the scammers and meant the Treasurer sent an email to the President’s true account.
- The President didn’t know what payment the Treasurer was talking about.
- At this point they realised there was a hack of the email accounts.
- A finance officer at a not-for-profit received an email from a team member seeking urgent payment of an invoice for $15,000.
- The attachment was an exact copy of a usual invoice and the only change was the bank account details.
- The finance officer phoned the team member to discuss the payment only to find the team member had not sent the email.
Anyone impersonated or targeted may have been the victim of hacking. All parties need to have their devices checked by a reputable technician to ensure any spying software is removed and that protection, such as firewalls and anti-virus programs are up-to-date and working.
Organisations targeted by ‘man in the middle scams’ can report the details to WA ScamNet by calling 1300 30 40 54. In certain circumstances there may be a referral to police. Successful fraud attempts can be reported to WA Police Major Fraud Squad on 131 444.
Further details, including local victim case studies and tips to prevent an attack are at: www.scamnet.wa.gov.au/middleman. You do your bit in the fight against scammers by sharing that short link via social media or email. As you can appreciate the audience for this warning is huge, with literally all WA organisations at risk. We welcome any help we can get to spread the word to employees at any business, public sector workers in WA’s local and state government agencies, members of associations etc.