The most common types of email payment fraud

Business email scams can be highly sophisticated and targeted, with messaging tailored to maximise success by imitating a supplier or trusted figure in the organisation.

Sophisticated criminals will seek to tailor their message to the target, most commonly imitating either a supplier known to the business, or a trusted figure in the organisation (such as the CEO, a senior manager or another executive).

Supplier payment scams look like they come from a legitimate supplier, including branding and information obtained from research to make the communication more believable. Oftentimes, the basis for this scam type will be an email where a fake invoice has been generated and inserted into a previously existing communication chain; or start as a request to change account details.

Scams from ‘senior executives’ will contain a fraudulent payment request, generally claiming to be ‘urgent’ and/or ‘confidential’. The scammer will place emphasis on ignoring standard payment procedures and bypassing the regular authorisations. These emails may be accompanied by phone calls or physical mail to appear more legitimate or urgent.

How do email payment scams/compromise work?

Email payment scams involve scammers using technology to impersonate a party in the transaction, or directly compromising the business’ email accounts.

Impersonation tactics

A common way this is achieved is by 'spoofing' an email address, which is where the attacker takes advantage of design flaws in email that allow the 'from' field to be modified so that the payment request appears to be originating from a trusted source.

Another impersonation technique – a ‘homoglyph attack’ – is where an attacker uses an email domain that's very similar to the legitimate sender, differing only by a few similar looking characters (e.g. instead of

Some of these attacks are tricky to detect and may not automatically be flagged as suspicious by email providers or filters – meaning these highly effective scams often end up in the inboxes of unsuspecting victims.

Email compromise

Business email compromise involves obtaining unauthorised access to an email account for the purpose of intercepting and redirecting payment requests; or using that email account to generate new requests for payment.

The initial compromise can be achieved through two main methods:

  • Credential phishing is when a member of staff has been tricked into entering their username and password into a fake login page. Those details are then stolen and used to log on to the system instead of the legitimate employee.
  • Credential stuffing is when attackers use credentials stolen in previous breaches of other online service providers, relying on the fact that many people re-use the same password across services.

Once they have access, attackers may wait some time for the right opportunity to maximise their chance of payout.

So, what can you do to protect your business?

You can help mitigate the risk of email payment fraud by focusing on three key areas:

  1. People are an important line of defence when it comes to business email attacks. Ensure your staff are encouraged to question and escalate payment requests that look suspicious or unusual. Ensure staff have a high level of basic cyber security hygiene, such as strong passwords and awareness of phishing scams.
  2. Processes play an important role in helping reduce the impact of payment scams. You should check the beneficiary details of any large payments by calling a verified number. No single person should be responsible for making payments, so adopt strict separation of duties, using multiple authorities to make and approve payments or changes to beneficiary details. CommBiz customers can implement segregation of duties by creating separate roles for entering and approving payments.
  3. On technology, make sure online accounts are protected with strong, unique passphrases and switch on multifactor authentication (MFA) wherever it’s available.
    Contact your IT provider to ask about implementing anti-spoofing protections on your email.
    Promptly installing software updates, enabling software auto-updates and installing a reputable antivirus program can also help reduce the impact of malicious software designed to tamper with online banking payments.

What to do if something goes wrong

If you think you may be the victim of a business email payment scam, it’s important to get help as soon as possible:

  1. Call CommBiz 13 2339; or Netbank 13 2221 immediately
  2. Contact your relationship manager, if applicable, and
  3. Contact law enforcement.

Find out more about keeping your business safe

CommBank Secure for Business

Things you should know

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. As this information has been prepared without considering your objectives, financial situation or needs. You should, before acting on this, consider the appropriateness to your circumstances.