Beware hacking scam targeting business email accounts - News alert

Skip listen and sharing tools
6 May 2019
News alerts

Consumer Affairs Victoria continues to receive reports of the 'business email compromise' scam, targeting the email accounts of businesses including estate agencies, conveyancers and builders.

How the scam works

In most instances, a client receives an email from the business they are dealing with that includes details of an account to make a payment to.

Shortly afterwards, the client receives a second email from the same email address, telling them that the business has just updated their account details, and to pay into a new account. This second email has been intercepted by scammers impersonating the business, asking the client to send money into an account they have set up.

We have also had reports of businesses that have paid money into a fake account, after receiving an email they thought was from their client or client representative, but had been hacked in a similar way.

If you are a business or consumer and receive an email from a business you are dealing with that includes details of a bank account to deposit money into:

  • be very suspicious if you receive a second email asking you to make payment into another account, even if it is from the same email address 
  • call the supposed sender of the email to check its legitimacy. If the email has come from a business, consider visiting their office in person. 

Tips to avoid a 'business email compromise' scam

We strongly encourage consumers and businesses to regularly review and secure their online systems.

To help keep your email accounts safe:

  • consider setting up a two-step verification process with your email accounts. This requires a user to provide more than one type of proof that they are authorised before they can access an account
  • do not use obvious passwords. Change your passwords, and other verification details, regularly
  • do not share your email address online unless you need to. Consider setting up an email address just for online transactions, and another for communicating privately with clients and customers.

If you are a business sending account details for customers to make payment via email, advise them to:

  • be very wary if they receive a second email telling them to pay into another account, even if the email comes from the same address
  • contact your office to check the email’s legitimacy.  

Any business or individual who believes they have been tricked into paying money into an incorrect account should contact their bank immediately.

More information:

For more information on maintaining your security online, visit the Email page on the Federal Government’s Stay Smart Online website.

You can report incidents of cybercrime to the Australian Cybercrime and Online Reporting Network.

IDCare is a not-for-profit organisation that provides free support services and resources to people and organisations targeted by cybercriminals and scams. For more information, visit the IDCare website.

Remember: any business or individual can be a target for cybercriminals. For more information on staying safe online, visit the Stay Smart Online website.