A payment redirection scam is a type of fraud where cybercriminals deceive victims into making payments to fraudulent accounts.
Since the criminal impersonates a business or its employees via email, this form of payment redirection fraud is sometimes referred to as business email compromise (BEC).
Small and medium-sized businesses in Australia lost $91.6 million to these scams in 2023, with the FBI also calling BEC the $50 billion scam in a recent public service announcement.
Here is a general overview of how payment direction scams work in practice.
Before the scam is carried out, malicious actors research the target. They will collect information on the company and its employees as well as its clients, vendors and other key stakeholders.
Based on the above, scammers craft fake but convincing emails that appear to come from trusted sources. In more elaborate schemes, the emails mimic the tone and communication style of the person involved.
Spoofed email addresses are also used where characters vary only slightly. For example, a “1” may be used in place of an “l”.
In business email compromise scams, emails may be sent from a legitimate email account that has already been compromised by the criminal.
Fraudulent emails are then sent with a request that relates to money in some way. One email may request an urgent payment on an invoice, while another may ask HR to direct an employee’s salary to a different account.
Some criminals (who have been monitoring email communication for some time) will contact the target with an email similar to one the target may be expecting. The hope is that the target fails to notice discrepancies in email addresses, payment details or other verifiable information.
Believing the suspicious email to be legitimate, the target then directs payment to the scammer’s account.
To conclude, let’s take a look at a few of the red flags of a payment redirection scam and how to avoid them altogether.
Criminals often impersonate suppliers and will attach notes to fake invoices with new BSB and account numbers. Every other aspect of the invoice is identical, including the number, amount due and even the email address it was sent from.
Before making the payment, it is vital the employee verifies the request with the person who sent it (even if the person is known to them). This must be done with contact details the employee has sourced themselves.
PayID, multifactor authentication (MFA) and dual payment approval processes are three ways for businesses to send money securely.
When this happens, employees should refrain from complying until the payment history and prior emails have been analysed. Past invoices should be examined and bank details verified with the supplier.
Employees must also avoid acting hastily when prompted to rush a decision. The creation of a false sense of urgency is common in payment redirection scams.
Scammers often impersonate the CEO, CFO or some other notable staff member to gain the target’s trust.
To avoid this tactic, the employee must verbally verify the request with the individual in question – no matter who the sender may be or how convincing their message.
Employees should be extra weary if the person reaches out unexpectedly or on a platform they don’t typically use.
A capital asset pricing model, known as CAPM, outlines the relationship between systematic risk and the expected return of the asset, explaining …
Control risk is the risk that a company’s internal controls will not properly protect or detect material misstatements. An internal control is …
A disbursement is the act of paying out money, typically in relation to business or financial transactions. It involves the distribution of …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.
