Scams that target businesses

Do you know how to recognise an email scam? Learn more on Business Email Compromise Scams

Email payment scams involve scammers using technology to impersonate a party in the transaction, or directly compromising the business email accounts.

Types of scams

There are a number of techniques scammers use to trick staff into divulging either your business’ information or money.

Defending against cyber criminals looking to hack your systems is important. But what’s also key is defending your business against attempts to hack your people.

The reality is that tricking someone into clicking a link that downloads malicious software, or simply transferring money somewhere they shouldn’t, is often cheap and easy. That’s why it’s vital to educate your staff on what common scams look like so they can recognise them, report them and help safeguard your business from potentially costly mistakes.

Read about our free eLearning modules available to use in your business

Business email compromise (BEC)

These scams target businesses of all sizes. Using emails made to look like they are from someone you know, such as your boss, your supplier or your customer, these scams will request payment be made to an account under the scammer’s control. There are two main examples of these kinds of scams staff need to be able to recognise.

Supplier email scams occur when a fraudulent request for payment looks like a legitimate expected invoice, or it could be a fake email requesting you update a supplier’s payment details for future payments. Check whether the email address or the body of the email contains misspellings of names.
Scammers can also masquerade as your colleagues, emailing a request to make an urgent or confidential payment, often in a way that differs from your usual process.
Scammers can attempt to impersonate a legal representative of the business and request sensitive information in relation to an urgent matter (such as a large business transaction or settlement).

Staying scam aware

It’s vital your staff are wary of these kinds of scams as they rely on people within the business being tricked into transferring money outside of the business to accounts they have never transferred to before. Because it is a staff member performing a legitimate action, however, these kinds of incidents may not be covered by any cyber insurance or guarantees you have in place.

Prevention is the best outcome in these scenarios. Here’s what we recommend:
1. Before you make a first-time payment for any amount you are not prepared to lose, call the person or organisation you are paying on a trusted number
2. Ensure all of your accounts, especially your email accounts, have strong, unique passwords and are setup with second-factor authentication (e.g. SMS) where available. Don’t use the same password you have used for any other service/website
3. Setup a payments approval process for your business, preferably requiring multiple approvers, with no exceptions
4. Encourage a culture where staff are comfortable to question a payment instruction even if it’s from a senior executive

Payroll scams

One BEC variation that has recently become prevalent is “payroll scams”. In these kinds of scams, cyber criminals impersonate employees in an attempt to trick staff into redirecting funds to the scammer. Staff working in HR, payroll or finance are most at risk. The emails they receive might look official too, or even appear to come from a legitimate employee email address. They might ask for an urgent update of bank account details to a scammer account instead.

In other cases, the first email will seem harmless, simply asking what the process for updating payment details is. The idea is to later make contact with a more targeted follow-up.

Educating staff on how to spot these fraudulent emails will mean your business isn’t compromised and money isn’t lost. Here’s how to keep your employees safe from potential payroll scams, as recommended by the Australian Cyber Security Centre.
1. If an email appears suspicious, don’t reply or click on any links. Instead, look up the person’s email address and create a new email to verify the request being made. If your company’s database lists phone numbers, give them a call to quickly check the email’s validity
2. Always set a strong, unique, two-factor authentication password with your email. If you receive a notification about a bank account update you didn’t authorise, contact payroll immediately
3. Frequently check your bank accounts for any unusual activity

- Read more about common hoaxes including phishing on our How to spot a hoax page
- For more information on keeping your customers and business safe when taking payments visit Protecting your business
- For practical tips on what you should do to help keep your business safe, visit our Securing your business page
- For more information on types of scams and how to protect yourself visit investment scams, job scams, remote access scams and romance scams

Staying safe

Not sure whether a message is legitimate?

If you haven't engaged with its contents, such as clicking a link or replying to it, report it to CommBank's 24/7 Cyber Security Centre by forwarding it to hoax@cba.com.au, then delete the message.

If you're worried or you’ve noticed a suspicious transaction:
- For NetBank customers please call us on 13 2221
- For CommBiz customers please call us on 13 2339