An Australian small business narrowly avoided losing almost $940,000 to a single payment redirection scam, Bendigo Bank says, highlighting the importance of double-checking invoice details before firing off payment.
In a statement, Bendigo Bank said the business engaged a construction firm for routine works and sent a draft invoice to confirm the amount owed.
The construction business sent back an email from its legitimate email account, signed by its director, confirming the amount owed.
However, it included a new set of bank account details, which the small business used to process its payment.
The payment was actually directed towards a fraudulent bank account, as the construction business had its email account infiltrated by a criminal.
Luckily, the legitimate construction business advised the victim they had not received payment, allowing both businesses to spot the dodgy account details used in the offending email.
Fortunately, the scam victim quickly brought the issue to Bendigo Bank.
The bank said it successfully retrieved $897,083 of the full $938,600 payment.
The incident highlights the prevalence and potential financial devastation caused by false billing and payment redirection scams.
Australians reported losses of $16.2 million as a result of payment redirection scams in 2023, according to the Australian Competition and Consumer Commission.
While the total number of reports dipped from the year prior, the dollar value lost increased by 3% over the year, setting off alarm bells within the consumer watchdog.
Businesses in the construction, real estate, and legal sectors are among the most likely to have their email accounts compromised by criminals, who use their official communication channels to scam victims out of significant sums.
One of the best ways to protect your business from falling victim is to carefully cross-reference payment details with the payee.
This means “prevention is better than cure”, Bendigo Bank’s head of customer protection Jason Gordon said in a statement.
Businesses are encouraged to stop themselves before firing off payment, think if any details need clarification from the payee itself, and quickly report any suspicious payment activity to their banking provider.
Online training programs, like Bendigo Bank’s own in-house sessions and the Cyber Wardens system, can help businesses learn how to spot the signs of an attempted payment misdirection scam.
Beyond the need for businesses to be savvy and alert to the threat of payment redirection scams, the banking sector is focused on how to minimise losses.
Commonwealth Bank last year introduced its name-and-shame NameCheck feature, which provides the name associated with a BSB and account number when a payee enters it for the first time.
The bank said the technology stopped scam attempts valued at an estimated $38 million between March and September last year.
Bendigo Bank itself signed up to use the NameCheck system in its Up banking app in a pilot program.
More broadly, the Australian Banking Association in November revealed its $100 million Scam-Safe Accord, underpinned by a confirmation of a payee system that will effectively pin an account holder’s personal details to its BSB and account number.
The accord will also require individuals to provide biometric data when opening a bank account, making it harder for scammers to operate ‘dummy’ accounts under false identities.
This cross-bank system will be built and developed through 2024 and 2025.
“Bendigo Bank advocates for a true cross-sector approach to scam prevention, with a focus on controls and improvements at the origination of a scam, to stop it happening in the first place,” Gordon added.
Scams are also front of mind among lawmakers, and the government is considering measures that could hold banks liable for some payment redirection scams.
Addressing the National Press Club on Wednesday, Assistant Treasurer and Minister for Financial Services Stephen Jones said the federal government will investigate changing the law to encourage more action from the banks.
“A fundamental characteristic of scams is that they are transactions that are authorised – through deception – by the victim,” he said.
“So the law is not fit‑for‑purpose.
“We will address this to ensure victims can receive compensation in the right circumstances.
This could include “compensation for inaction, for negligence, for failing to meet an obligation”.
Jones also highlighted undergoing work to establish an SMS ID registry.
When launched, the national scheme will block messages purporting to be from a bank, telco, or government agency, if those phone numbers don’t correlate with those on the register.
Never miss a story: sign up to SmartCompany’s free daily newsletter and find our best stories on LinkedIn.
Senior Business Journalist
Focused on the small business sector, David’s work covers the political, regulatory, and economic issues facing Australian entrepreneurs. Prior to joining SmartCompany, he was a reporter for Business Insider Australia. You can follow him on LinkedIn.
