Email compromise scams – How to protect yourself and your business

Estimated reading time
 5 min

Jump to

• What are email compromise scams?
• 4 common examples of email compromise scams
• How to spot an email compromise scam
• Ways to protect yourself against email compromise
• What can you do if you’ve been scammed?
• Who can you contact if you’ve been scammed?

video

Imagine sitting at your desk, frantically working towards a tight deadline, when you suddenly get an email. It’s your company’s CEO. There’s an urgent problem she needs you to address now, which involves making an immediate payment to a supplier. You’d be doing her a huge favour if you addressed this immediately, so you get right to it.

Now imagine that instead of a pat on the back from your boss, you find yourself in hot water, because it turns out this email came from a cybercriminal, and they’ve just successfully redirected a sizeable sum of your company’s funds into their private stash.

This is a nightmare-turned-reality for an increasing number of companies. In fact, business email compromise is one the costliest cybercrimes for Australian businesses. The most recent ACCC Targeting Scams Report shows a 73% increase in losses reported to Scamwatch between 2021–22, with the highest number of reports coming from small to medium-sized businesses. That same report noted a combined $224 million in losses for Australian businesses in 2022 reported across multiple government agencies, so we’re talking about a pretty serious threat to our economy.

While these hackers usually target businesses, they can still dupe the average person, and with most Australians using emails regularly throughout our everyday lives, it’s important to know the signs of these types of scams.

We’re going to talk about ways to spot email compromise scams, explore some common examples, and arm you with the tools you need to keep your inbox clear of scams.
 

What are email compromise scams?

An email compromise scam is where a cybercriminal impersonates a person working for a company (usually an executive, someone from accounts or third-party such as a supplier) to convince their target to send money to the criminal instead of their intended recipient. These scams are simple by design, but the impacts can be financially devastating.

These cybercriminals do their research and can often access the names and basic personal details of people in any organisation either through social media, job sites or the company’s website.

And while targeting larger companies can mean big business for cybercriminals, it’s small and medium-sized businesses that are most at risk. In 2022, Scamwatch received the most reports from businesses with 4 or fewer employees, followed by companies with between 5 and 19. 
 

4 common examples of email compromise scams

These scams can play out in several ways, but the below are some common scenarios you might encounter:

1. Impersonating the CEO

You receive an urgent email from a company executive, where they ask for your help to urgently transfer money or authorise a transfer without getting verification from anyone else.
 

2. Intercepted invoice

Cybercriminals may also intercept invoices and modify the account details to their own. An example might be when a scammer has compromised the email of the builder a client has hired. The scammer then uses the builder's account, intercepts and modifies an invoice with new payment details and sends the invoice to the customer pretending to be the builder. If the customer pays, the scammer has just redirected the payment straight into their own pocket.
 

3. Change of payment details

You receive an email out of the blue from a third-party that you do regular business with who asks you to direct all payments to a new bank account.
 

4. Home deposit redirect

While most of these scams operate within the business realm, they can affect everyday Australians too. For example, you’ve just purchased a house and it’s time to transfer your deposit to the real estate firm. You’re about to head to the bank, when you receive an email from the realtor who provides the ‘correct’ banking details. You make the payment, but your deposit goes straight into the hands of a cybercriminal.
 

How to spot an email compromise scam

• Unexpected contact or requests: Be aware, if you don’t usually have email contact with your company’s CEO, but they reach out with a personal request, or a supplier suddenly emails you with an urgent update to their banking details.
  
  
• Modified payment details on an invoice: Be suspicious if you receive an invoice with different payment details to previous invoices from that client or supplier.  

• Dodgy domains: A cybercriminal will often pick an email domain that closely resembles the true sender. But there’s usually one or two small details that were changed in the hopes you won’t notice, such as substituting the letter N for the letter M.
  
  
• Poorly written text or inconsistent message formats: Check for grammatical or spelling errors you wouldn’t expect to see in an email from a company executive. Also look out for anything in the tone that doesn’t match the way the sender usually writes.
  
  
• A missing or faked email signature: More often than not, these types of cybercriminal won’t have your company’s email signature. And if they do, check for any inconsistencies with your own work email signature.
  

Note:

Criminals don’t even need to intercept an invoice to get you to pay them, instead they might suddenly email you to inform you that their banking details have changed.

Sometimes they will simply email you from a fake address that almost matches a company’s vendor. They will use this email to inform you that their banking details have changed.
 

Ways to protect yourself against email compromise

Email compromise is costing Aussie businesses more and more each year, and with cybercriminals targeting businesses of all sizes as well as individuals, it’s important to arm yourself with as many safeguards as possible. The tips below can help you clear scammers right out of your inbox.

For businesses:

• Before making a payment or actioning a request to change payment details, always verify that requests are genuine by calling the sender using trusted contact details, particularly when:
  • you receive an unusual or out of character payment request from someone within your organisation (or a known third-party, like a supplier).
  • you notice new or updated banking details in an email or invoice from a regular client or vendor.
• Closely examine email domain names to spot added numbers or subtle surname misspellings.
  
  
• Confirm your company keeps their security software updated across all platforms.
  
  
• Ensure staff (especially those working in accounts) are educated on scam red flags.
  
  
• Ensure you have protocols in place requiring verification before payments are sent out.
  
  
• Turn on multi-factor authentication (MFA) on all accounts, where possible.

For individuals:

• If you’re paying a builder, trade, or other supplier and they email you with updated banking details, or you notice an invoice with different payment details, call them on a trusted number to verify the new details before making a payment.
  
  
• Be wary of sudden and urgent requests for funds transfers from people you have had previous contact with.
  
  
• Use security software on all of your devices and keep it up to date.
   

What can you do if you’ve been scammed?

If you’ve been targeted by one of these scams, then we’re here to take you through some immediate actions to protect yourself or your business from further financial harm.

• Notify your manager and/or the appropriate channels at your workplace as soon as possible
  
  
• If you have shared financial information or believe you have transferred money to a scammer, notify your bank immediately.  If you are an ANZ customer, please contact us immediately.
  
  
• If you shared credit card details, block or cancel those cards immediately. If your cards are with ANZ, you can do this through the app. Learn more.
   

Who can you contact if you’ve been scammed?

• Report the scam to the Police through the Australian Signals Directorate’s ReportCyber portal. This resource is there for reports of scams where money or personal information has been lost.
  
  
• Help others by reporting to Scamwatch to help them prevent future losses, monitor trends and educate the population about emerging threats. 
  
  
• You can also contact IDCare, a not-for-profit organisation providing support to those experiencing identity and cyber security concerns.