You might have already spent a lot of money and time securing you network and digital systems but the reality is hacking your people is often cheaper and easier. Tricking someone into clicking a link that downloads malicious software, or simply transferring money somewhere they shouldn’t is a low tech, low touch option for criminals.
We asked our own cyber security experts what types of scams are most prevalent right now. This is their list.
Business email compromise (BEC)
They use emails made to look like they are from someone you know, such as your boss, your supplier or your customer. Scammers will masquerade as your colleagues or superiors, emailing a request to ignore normal processes to make an urgent or confidential payment. They may also make a fraudulent requests for payment or account details that look like a legitimate expected invoice.
These scams target your merchant EFTPOS terminals and payment processing portals. Scammers will contact you out of the blue, via phone or email, eager to do business with you. They may provide you with card numbers to process transactions and ask you to send the money to them. In many cases, the scammer will be interstate or overseas and their requests will often seem unusual when compared to your normal transactions.
Refund scams involve buyers purchasing items and then requesting a refund or claiming they have accidentally overpaid you. The ‘buyer’ will have used stolen card details to make the initial payment and then request the refund be processed to a bank account or a different card that the scammer controls. If the original transaction was made on a fraudulent card, you are likely to receive a chargeback and be required to refund the initial transaction. You will also be out of pocket for the money that you refunded to the scammer.
Online card fraud
This occurs when buyers places orders for your goods with stolen card details. Under certain circumstances, for example if you do not have 3D Secure enabled, you may be required to process a full refund for any fraudulent transactions.
A variation of BEC scams, “payroll scams” target individuals within the HR, payroll or finance function of an organisation with the ultimate aim of getting employee salaries transferred to their accounts instead.
The victim will receive an email that looks as though it came from an executive or employee of their own company. It will say they have recently changed banks and ask to modify the details of the direct deposit account for their salary. In some cases, the initial contact from scammers will simply ask for the process to change payment details or request clarification on the deadline for changes to be in effect for the next pay cycle. This first contact will be all about obtaining information to craft a more targeted second engagement.
Case Study: A typical refund scam
A CBA customer who ran a non-profit organisation recently received a donation for an amount of $15,000 paid via credit card. Shortly afterwards they were contacted by the donor who apologised and explained that they had actually only intended to donate $1,500. This was still a considerable donation which the non-profit was happy to receive so they agreed to refund the difference of $13,500 to the donor. The donor requested that the refund was made to their bank account instead of the credit card. After the business had processed this refund they were advised that the original transaction was on a fraudulent card and the business was required to refund the full $15,000 through the chargeback process.
5 tips to protect yourself against scams
- Get a second opinion: Speak to your friends and family before investing in a new opportunity or sending money to someone you met online.
- Be a sceptic: If an opportunity sounds too good to be true, it probably is.
- Say no to remote access: Don’t let anyone access your computer remotely if you have been contacted unexpectedly.
- Know who you’re dealing with: If someone calls you claiming to be from the government or other organisation, call them back on a number you can verify to ensure they are who they claim to be.
- Think twice: Genuine companies or government organisations will never ask you to make payment with gift cards or cryptocurrency, or to provide online passwords or PINs by email or text.