‘The most financially harmful scam’: ACCC reveals massive toll of business email scams, with banks urged to be on the front foot of prevention


Email compromise scams cost Australian businesses $132 million last year, with banks urged to take a more diligent approach in preventing the transfer of funds to fraudsters.

The Australian Competition and Consumer Commission’s (ACCC) annual Targeting scams report revealed $634 million in total reported losses to scams in 2019 (a 30 per cent jump on 2018 figures), including $236.8 million alone recorded by the big four banks.

It marks the first time in 11 years of the report that scam data was collected from Australia’s big four banks, with the ACCC acknowledging that “scam victims are more likely to report financial losses to their bank than anywhere else”.

Data had previously been sourced from only government agencies and direct submissions to the ACCC’s Scamwatch service.

Business email compromise scams – representing the biggest losses of any scam type, above investment scams ($126 million) and ‘romance’ scams ($83 million) – involve fraudsters impersonating supplier businesses or senior staff through emails, tricking recipients into sending money to fraudulent accounts.

Three of the most common business email scam methods reported were: a) the interception of legitimate invoices, where scammers would change details to include fraudulent payment information; b) scammers impersonating senior decision markers or financial controllers within a company to request the transfer of funds, for example, the “purchase of gift cards as a surprise for other staff”; c) staff members requesting a change to their ordinary payment account.

“Scammers can find names of executives, senior managers, accountants and payroll officers online, and then quickly work out the format for that person’s business email address,” the report said.

“They can also hack into email accounts, including through information gathered in phishing scams.”

Hackers have grown adept at remotely tracking the daily activities of targeted businesses, “[observing] transactions and [identifying] opportunities to divert money to their own accounts”.

“Scammers will also intercept emails and invoices legitimately issued by a business and change the beneficiary account numbers to their own. This way any money sent by the receiver of the invoice will go to the scammer’s bank account (or a bank account controlled by the scammer) rather than the legitimate business.”

With smaller businesses often having fewer resources to pinpoint these deceptions, the consumer protection watchdog urged banks to be on the front foot of scam detection, checking the name of accounts, as well as BSBs and account numbers, to prevent money from being wired to scammers.

“Similar measures have been implemented overseas with good results,” it said.

The big four were nevertheless lauded for their efforts last year in preventing nearly $230 million from being sent to scammers.

This included amounts detected by banks before being processed and amounts that were recovered from financial institutions after being sent.

The ACCC said all reputable banks should have dedicated teams to investigate potential scam and fraud transactions, as well as greater investment educational materials to assist staff and customers in detecting and preventing scams.

“With new payment methods and speedier payment transfers, scammers may have already moved money to different bank accounts by the time a victim has realised they are dealing with a scammer. Therefore, it is important people understand they may be dealing with a scammer as quickly as possible to reduce the financial impact of the scam.”

Businesses filed nearly 6,000 reports with the ACCC’s Scamwatch service last year, with accumulated losses of $5.3 million.

The vast majority of scams appeared to impact SMEs, with large business (those with more than 200 staff) representing less than one in 10 reportedly hit by scams – though it was suggested that many may have withheld submission to the ACCC, preferring instead to deal with the matter quietly in-house.

While ‘false billing’ represented the vast bulk of scams affecting businesses (accounting for 46 per cent of reported business scams), there were also notable cases of phishing (29 per cent), hacking (12 per cent), and identity theft (11 per cent).

Scamwatch.gov.au is the Government’s primary online scam reporting hub for Australian businesses and the public. However, it noted, only around 13 per cent of victims make a report to the service directly.

Last year, the ACCC initiated its Scam Watchlist project, which shares anonymised scam data with digital platforms and businesses to aid scam prevention and disruption.

“Our decade of data shows that scams continue to be a pervasive problem for Australia. In the coming years we expect scams to adapt and evolve even faster, as they manipulate new technologies to target new victims.”