Payment fraud conducted via email costs small and large Australian businesses hundreds of millions of dollars a year.

As the processing speed of transactions increases, the ability to freeze and recover misdirected payments is diminishing. That means we all need to be more vigilant.

How does email payment fraud work?

Email payment fraud involves scammers either impersonating a party in the transaction or directly compromising the business’ email accounts.

Impersonation tactics

In the first scenario, scammers will most commonly imitate one of two parties: a supplier of the business or the CEO, director or another senior executive in the organisation.

Emails containing fraudulent payment information generally claim to be urgent and/or confidential, placing emphasis on ignoring standard payment procedures and bypassing authorisations. These emails may be accompanied by phone calls or physical mail to appear more legitimate.

Email scams have significantly evolved from plain-text emails masquerading as the CEO that were riddled with spelling mistakes and easily identifiable. Today, emails will often purport to be from a legitimate supplier, using key features of branding and knowledge of the target’s processes. The most successful scam emails look exactly like expected invoices or payment requests.

A common way this is achieved is by 'spoofing' an email address, which is where the attacker will either use an email domain that is very similar to the legitimate sender, or modify the 'from' field so that the payment request appears to be originating from a trusted source.

Email compromise

Business email compromise involves scammers hacking into an email account or third-party accounting software to authorise a transaction. This compromise is becoming increasingly prevalent as businesses transition to cloud-based services, since compromise is simply a stolen username and password away.

The initial compromise can be achieved through two main methods:

  • Credential phishing is when a member of staff has been tricked into entering their username and password into a fake login page. Those details are then stolen and used to log on to the system instead of the legitimate employee.
  • Stuffing is when attackers use credentials stolen in previous breaches of other online service providers, relying on the fact that people generally re-use the same password across services.

Once access has been gained, the inbox is searched for evidence of invoices or large payment requests. The attacker then intercepts these requests for payment, changes the recipient details and sends it on to the intended recipient. Alternatively, the attacker can request a new payment using an existing supplier invoice as a template.

So, what can you do to protect your business?

All staff, business partners and processes need to assume that any email can be forged in some way. You can mitigate the risk of email payment fraud by focusing on three key areas:

  1. People are key to defending against payment fraud. The most targeted individuals in an organisation are the CFO and the payments team, but the whole organisation needs to play an active role. Ensure your staff are trained to question and escalate payment requests that look suspicious or unusual.
  2. Processes can also be used to mitigate the risk by setting up multiple authorities for payments and adopting strict separation of duties. CommBiz customers have the option to implement segregation of duties by creating separate roles for entering and approving payments. Additionally, large payments or changes to beneficiaries should be required to be verified by calling a trusted number.
  3. With respect to technology, it’s a good idea to implement technology controls gradually so that legitimate emails are not blocked due to misconfigurations.

Contact your IT provider to determine if they can implement anti-imitation standards such as Sender Policy Framework (SPF) and Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol.

Remote access to critical services should require multifactor authentication (MFA) – using something people know, have and/or are.

Finally, use Access Control Lists that restrict access to an account under certain conditions, for example a trusted IP range.

What to do if something goes wrong

The quicker you respond, the more likely that your funds can be recovered. For CommBiz customers, if you suspect you've made a payment in error:

  1. Call CommBiz helpdesk immediately on 13 2339
  2. Contact your account manager, and
  3. Contact law enforcement

Find out more about keeping your business safe

CommBank Secure for Business

Things you should know

This article is intended to provide general information of an educational nature only. It does not have regard to the financial situation or needs of any reader and must not be relied upon as financial product advice. As this information has been prepared without considering your objectives, financial situation or needs. You should, before acting on this, consider the appropriateness to your circumstances.