In 2019, a European subsidiary of auto giant Toyota, Toyota Boshoku Corporation, received emails from a business partner’s email account, requesting payment. Staff from the company’s finance department dutifully transferred close to US$37 million to the bank account provided. Unbeknown to them, hackers had overtaken their business partner’s email – and the millions went straight to the fraudsters.1

Toyota is just one of many high-profile examples of business email compromise, or BEC. This payment redirection scam has also defrauded the government of Puerto Rico, charity Save The Children and French film and distribution company, Pathé.2

But this doesn’t mean smaller organisations are off the hook. In 2018, a Perth car dealership was defrauded of $65,000 through a very convincing scam invoice.3

Mick Keogh is Deputy Chair of the Australian Competition and Consumer Commission (ACCC). He confirms that organisations of all sizes are vulnerable.

“Small and micro businesses made most of the reports to Scamwatch and experienced an increase in losses in 2020, although larger businesses reported the highest losses,” he says.4

In the first half of 2022, the ACCC received reports of 11,395 incidents of business email compromise. In total, these cost businesses $12.3 million.5 The organisation has received many reports of scammers targeting Australian farming businesses – many through fake websites. 

“[But] the most common contact method scammers used against businesses was email, which is not surprising given the prevalence of payment redirection scams,” says Keogh.4  

James Fleming is Senior Manager Fraud Risk & Advisory at CommBank. He agrees that all organisations are vulnerable to business email compromise – and human error is often the weakest link. 

“All it takes is for one person's email to be compromised, and your business could end up paying someone a large sum of money,” Fleming says.

Anatomy of a business email scam

So why is business email compromise such a threat? Clever impersonation is the key. 

“It’s not always the business itself that is compromised,” says Fleming. “It can actually be Business B – Business A’s supplier or contractor.” 

This is how it can work:

Hackers break into a contractor or supplier’s email system (Business B) by securing a username and password. The hacker then uses Business B’s email account to send a fake invoice to Business A. 

In the email, the scammers claim Business B has recently changed its bank account, and provides ‘new’ banking details. Business A pays the invoice – and their funds go straight into the hacker’s account. 

What makes the scam particularly convincing is if the email comes from a regular business contact – or if they impersonate the branding and letterheads from Business B to create the invoice. 

Other tactics scammers use include persuading an employee, via an authoritative sounding email, to take a specific action – such as making a wire transfer or providing confidential information.

The result can be financially devastating, says Fleming.6

“If you're a reasonably large organisation you might be able to take that hit,” he says. “But if you’re a smaller or even medium-sized organisation, especially if cash flow is tight, that could really impact you.”

Financial institutions will attempt to recover stolen funds on a best endeavours basis. However, the funds can be difficult to recover because real-time payments move so quickly. 

“The funds may have been moved to other banks or moved offshore,” says Fleming. “They might have been withdrawn in cash or spent on cards. So it can be quite hard to get that money back.”

The best defence against email compromise

The latest figures show that while volumes are falling, scammers are pocketing larger monetary values. As such, businesses need to remain vigilant. The ACCC recommends organisations call their supplier or contractor on a secondary and known phone number – that is, not the number on the invoice – to confirm requests to change bank account details. They also suggest setting up a multi-person approval process before making large payments and setting up multifactor authentication (MFA), not just on your banking platform but on your email, too, to help prevent email compromise from the start.6

Large organisations with their own fraud and risk teams tend to have the most robust controls. These include integrated payments systems, call backs and other inbuilt checks that prevent payments from proceeding without certainty.

“A smaller mum and dad company might just log into their online banking and make a payment,” says Fleming. “So theoretically, the larger organisation is, the more the risk should reduce. But that being said, we're all prone to human error. And it only takes one person to forget to follow the process – or just be negligent.”

In other words, the best defence against BECs is ensuring your team sticks to strong online banking, payment platform and multi-factor authentication (MFA) hygiene. Also, ensure that your IT security is up-to-date, run antivirus software and have a good firewall.

But you also need to maintain staff awareness.

“You can have all the technology in the world, but it won’t work unless your people understand the controls and follow the processes as they're meant to be followed,” says Fleming. 

What to do if you you’ve been scammed

  1. Contact your bank immediately and stop the payment.
  2. Report the incident to the Australian Cyber Security Centre.
  3. Inform your supplier or provider (if they don’t know already) and advise them to change their account passwords.7

Our expert

James Fleming is the Senior Manager – Fraud & Risk Advisory at the Commonwealth Bank. During his five years with the bank, James has specialised in fraud, risk, operational risk and delivery during his time as the Digital Fraud Product Owner. Before joining CommBank, James spent five years at Macquarie Group where he worked as a credit assurance and fraud analyst before being promoted to Team Leader – Credit Assurance/Fraud. James has a Bachelor of Business Administration and Commerce – Accounting from Macquarie University.

Want to know more?

CommBank is committed to protecting its business and customers from scams, fraud and other cyber attacks. For more ways to safeguard your information, search CommBank Safe. To learn more from leading industry experts about what’s important to business and the economy at CommBank Foresight™ – insights for future-facing businesses.

Things you should know

  • Nicole Lindsey, Toyota Subsidiary Loses $37 Million Due to BEC Scam, CPO Magazine, 20 September, 2019.

    2 Gatefy, 10 real and famous cases of BEC (Business Email Compromise), 28 June, 2021.

    3 Dominic Powell, Perth car dealership loses $65,000 to invoice scam despite best security practices Smart Company, 28 September, 2018.

    4 ACCC, Payment redirection scams cost Australian businesses $128 million in 2020, 7 July 2022.

    5 Scamwatch, Scam Statistics, accessed 24 August, 2022.

    6 ACCC, Business email compromise: our business lost $190 000 when our supplier's email was hacked, accessed 24 August, 2022.

    7 Australian Cyber Security Centre, Protecting Against Business Email Compromise, accessed 24 August 2022.

    This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. You should consider seeking independent financial advice before making any decision based on this information. The information in this article and any opinions, conclusions or recommendations are reasonably held or made, based on the information available at the time of its publication but no representation or warranty, either expressed or implied, is made or provided as to the accuracy, reliability or completeness of any statement made in this article. Commonwealth Bank of Australia ABN 48 123 123 124. AFSL and Australian Credit Licence 234945.