You’re socially engineered into transferring money

Social Engineering describes the use of deception to manipulate you into doing something you wouldn't ordinarily do - like transferring large amounts of cash to a cyber criminal. While social engineering tricks and techniques continue to evolve, there are things you can do to reduce your chances of your team falling victim.

Managing your accounts payable function in your business is usually pretty straightforward. It’s also often one of the first functions a business owner will delegate to a junior staff member or office manager. Scammers understand how benign the task is for you, and are therefore playing on this to actively target this function in order to steal your money.

So how does this Happen?

It’s really very simple. Using information they can easily find about your business, a scammer posing as one of your regular suppliers will email you to tell you that their banking details have changed.

  • They may tell you they’ve recently changed banks,

  • They may use stolen letterhead and branding to convince you they are legitimate.

  • They will give you with a new bank account number and ask that all future payments are directed there.

The scam is often only detected when your regular supplier asks why they have not been paid. These scams are common, and you can read other real-world examples on the scamwatch website.

How big is the risk?

Thinking about the size of your usual invoices, how big could the amount of money falsely transferred be? Could you be risking $5,000, $50,000 or $500,000? When you are tricked into paying sums such as these, your bank probably won’t reimburse you, and you still have to pay your supplier the funds to their correct bank account, so your loss is likely to be at least double the amount the scammer gets away with. How easily could your business absorb this loss?

How often does it happen?

According to the Australian government's Scamwatch website, over $4m was lost to emails scams just like these last year, and the number are rising with a 46% increase in the number of reports from 2017 to 2018. The majority of losses come via email, and whilst more reports come from business owners over the age of 65, larger amounts are being scammed from owners aged 35-44.

What should I do now?

There’s one really easy process you can put in place today, in five minutes or less, to reduce the chances your business will become a victim of such a scam.

Step 1: Introduce a policy into your business that requires two forms of verification before any banking details are changed in your accounts payable systems. This would mean that when an email request to change details is received, your office manager or junior support must look up the contact details for your supplier and call them to verify the request has actually come from the supplier prior to making the change.

Step 2: Communicate this new procedure, including the reasons why it is important, to all staff who manage your money, and ensure they understand what is required of them.

Step 3: Notify your key suppliers of this change, so they understand what is expected of them in the event they legitimately do need to change their bank details with you.

What next?

There are a number of other steps we recommend businesses take to reduce the chances and impact of this type of scam. For more support, sign up for your tailored cyber resilience membership here.