Be alert for impersonators of third-party suppliers (Man-in-the-middle scams)
Alarm bells should ring if a supplier of services or goods contacts your organisation to provide new bank account details for you to pay money owed.
Fraudsters posing as CEOs or third-party suppliers have cost Western Australian businesses and not-for-profits at least $500,000 in the last two years, prompting a warning about ‘man in the middle scams’.
Staff should be urged to check any unusual requests from suppliers and to use the known contact details they have on file or have verified from the supplier’s website.
According to police, in 2016 several attacks on multiple organisations in Australia have successfully netted a significant amount of money. However, there could be unreported attacks that have not yet been investigated. To date the vast majority of funds have been recovered via a process involving bank intervention. This should not be seen as a guarantee that money will be recovered in future.
Consumer Protection’s WA ScamNet has recorded at least 10 reports of ‘false boss scams’ since 2015 with a total loss of $47,820.00. Between 2015 and 2016 there have been at least 15 reports of ‘payment diversion scams’ with losses totalling $461,215.00.
Detective Senior Sergeant Steve Potter, WA Police Major Fraud Squad, said, these attacks are sophisticated.
"They may involve multiple convincing phone calls based on prior research about active work. The attackers appear to have reasonably detailed knowledge of both current work or projects and associated suppliers. The MO used by offenders is otherwise known as a ‘man in the middle attack'.
“The attackers have taken steps to have destination bank details altered by the victim business and thereby cause funds to be directed to accounts accessible by the offenders or their associates.
“Finance areas are advised to ensure processes around changing bank details are robust and include a step to validate the details via previously established contact details; known good phone numbers, email addresses and ideally, a known individual.”
How to avoid being scammed
- If you receive a phone call, email or letter from a supplier seeking a change to the bank account details you use to pay them, be suspicious!
- Use the correct, verified number from the supplier’s website, or the one you have on file, to call a known contact directly to confirm if the request is legitimate.
- If emailing, type the known email address (double check it!) in the ‘to’ section rather than replying to an email received.
- Know that a BSB search, which can easily be done online, will reveal details about a bank account you have been asked to send to.
- Remember words you enter when bank transferring money have no bearing on the transaction. For example you can be asked to write Legitimate Pty Ltd for the name of the account holder but the bank account can belong to scammers posing as a company.
How does the scam work?
- The people behind this scam research the target organisation (often specifically the area that handles invoices) and its suppliers.
- This research may involve phone calls to the paying organisation asking about the name of an officer in finance or the person who pays invoices etc.
- The research may involve emails containing links to ‘phish’ for information, potentially by installing spyware on the recipient’s computer or to infiltrate the organisation’s wider network.
- The scammers pretend to be a supplier and contact the organisation about work carried out, or products provided.
- They ask for a change to the payment process, supplying alternative bank account details for the paying organisation’s financial systems.
- Bank account details given are for an account the criminals have access to.
Who is being targeted?
- State Government
- Local Government
- Major utility companies
- Small, medium-sized and big businesses
What to do if affected?
Successful fraud attempts should be reported to WA Police Major Fraud Squad on 131 444 as soon as possible.
WA organisations targeted unsuccessfully can report the matter to WA ScamNet so the intelligence can be considered for future warnings. WA ScamNet may also refer details to the police.
Make sure you alert the genuine supplier and your staff regarding the attempted fraud.
You are also strongly encouraged to run a virus scan on any computer that has received an email.
Real life stories reported to WA ScamNet
Example 8 (December 2019)
A payment interception or “man in the middle” scam led to a Yangebup association paying $5,200 - meant for suppliers who had provided services for a Carols by Candlelight event - into the wrong bank accounts. The association’s email account had been hacked and the scammers diverted invoices as they arrived. The scammers then doctored the invoices by altering the bank account details and put the fake invoices in the email inbox as though they had come from the genuine suppliers. The association made payments to the scammers’ bank accounts and only released when the real suppliers got in touch to say they hadn’t been paid. See 7 News Perth coverage of the scam.
Example 7 (2019)
Home and business buyers as well as real estate and settlement agents in WA are urged to be on high alert after two payments totalling $70,000 meant for a Perth settlement agent were stolen by scammers. The scammers had cloned the settlement agent’s Yahoo email address, and sent a payment request to the buyer of a business. The email contained details of a bank account controlled by the scammers and, believing it was a genuine email from the agent, the buyer paid the money as requested. See full media statement Alert issued after scammers steal $70,000 by cloning a settlement agent email on the DMIRS website.
Example 6 (2018)
- Perth car dealer loses $65,000 to an invoice payment scam
- Commissioners blog: Watch out for payment interception scams
Example 5 (2017):
Astute property buyers in Mandurah have thwarted an attempt by scammers to steal more than $200,000 from the settlement of a local property. The buyers received an email purporting to be from their settlement agent asking them to deposit the funds into a bank account in order to finalise the settlement of a house purchase. They noticed that the email address was slightly different from the original one being used, so they queried the request with their settlement agent direct who confirmed it was a fake email. See full media statement Attempt by scammers to steal $200,000 from property settlement on the Commerce website.
An architecture business reported that a client had advised them of a phone call and follow up letter from a scammer claiming to be from the architecture business. The email address given was a slight variation of the true email address; it had a hyphen and ended in dot com rather than dot com dot au but other than that it was identical.
Scam email address: Xyz-australia.com Real email address: Xyzaustralia.com.au
Business called to report identity theft after a client received an amended invoice where the bank details for payment had changed. The client made payment to the scammers (via an Australian bank account) and was refusing to pay the real business money owed. A computer technician found the email account of the business had been hacked.
Scammers posed as the President of an Association having ascertained the person was away and communicating electronically. They used a spoofed version of the President’s email address that looked the same but replied to the scammers. The scam email asked the Treasurer to organise a $3,700 payment that sounded like a normal arrangement, except unbeknownst to the Treasurer, the bank account details were for an account belonging to the offenders. Instead of hitting reply, the Treasurer typed the email address for the President in the ‘To’ box. This broke the communication with the scammers and meant the Treasurer sent an email to the President’s true account. The President didn’t know what payment the Treasurer was talking about. At this point they realised there was a hack of the email accounts.
The Treasurer at a not-for-profit received an email from a team member seeking urgent payment of an invoice for $15,000. The attachment was an exact copy of a usual invoice and the only change was the bank account details. The Treasurer phoned the team member to discuss the payment only to find the team member had not sent the email.