Types of scams

There are a number of techniques scammers employ to trick your staff with the aim of getting either your business’ information or money.

Defending against cyber criminals interested in hacking your systems is important. But what’s also key is defending your business against attempts to hack your people.

The reality is that tricking someone into clicking a link that downloads malicious software, or simply transferring money somewhere they shouldn’t is often cheap and easy. That’s why it’s vital to educate your staff on what common scams often look like so they can recognise them, report them and help save your business from potentially costly mistakes.

Read about our free elearning modules available to use in your business

Business email compromise (BEC)

These scams target businesses of all sizes. Using emails made to look like they are from someone you know, such as your boss, your supplier or your customer, these scams will request payment be made to an account under the scammer’s control. There are two main examples of these kinds of scams that it’s important your staff are able to recognise.

  • Supplier email scams occur when a fraudulent request for payment looks like a legitimate expected invoice, or it could be a fake email requesting you update a supplier’s payment details for future payments.
  • Scammers can also masquerade as your colleagues, emailing a request to make an urgent or confidential payment, often in a way that’s different from your usual process.

Staying scam aware

It’s very important that your staff are wary of these kinds of scams as they rely on people within the business being tricked to transfer money outside of the business to accounts they have never transferred to in the past. Because it is a staff member performing a legitimate action however, these kinds of incidents may not be covered by any cyber insurance or guarantees you have in place.

Prevention is the best outcome in these scenarios. Here’s what we recommend:

  1. Before you make a first-time payment for any amount you are not prepared to lose, call the person or organisation you are paying on a trusted number
  2. Ensure all of your accounts, especially your email accounts, have strong, unique passwords and are setup with second-factor authentication (e.g. SMS) where available. Don’t use the same password you have used for any other service/website
  3. Setup a payments approval process for your business, preferably requiring multiple approvers, with no exceptions
  4. Encourage a culture where staff are comfortable to question a payment instruction even if it’s from a senior executive

Payroll scams

One BEC variation that has recently become more prevalent is “payroll scams”. In these kinds of scams, cyber criminals target individuals within the HR, payroll or finance function of an organisation with the ultimate aim of getting employee salaries transferred to their accounts instead.

Often the victim will receive an email that has been doctored so it looks as though it comes from an executive or employee of their own company. The email will say they have recently changed banks and ask to modify the details of the direct deposit account for their salary. In some cases, the initial contact from scammers will simply ask for the process to change payment details or request clarification on the deadline for changes to be in effect for the next pay cycle.

In this case, the first contact will be all about obtaining information to craft a more targeted second touchpoint.

Again, prevention is best. Here’s what the Australian Cyber Security Centre recommends:

  1. If you are a payroll officer and receive a suspicious looking email, stop and think before you click
  2. Do not reply to the email, click any links or provide any information. Look up the person’s email address and send them a new email questioning the request, or even better give them a call on a number you’ve obtained from a trusted source (not the suspicious email)
  3. Ensure all of your accounts, especially your email accounts, have strong, unique passwords and are setup with second-factor authentication (e.g. SMS) where available
  4. If you are an employee and receive a notification about a bank account change you have not authorised, contact payroll immediately
  5. Be alert to any unusual activity in your bank account

Read more

Staying safe

Not sure whether a message is legitimate?

If you haven't engaged with its contents, such as clicking a link or replying to it, report it to CommBank's 24/7 Cyber Security Centre by forwarding to hoax@cba.com.au, then delete the message.

If you're worried or you’ve noticed a suspicious transaction:

  • For NetBank customers please call us on 13 2221
  • For CommBiz customers please call us on 13 2339