ING
Help Hub
Go to ing.com.au
Scams

There’s no business in falling for scams.

How to spot a business email compromise scam

Sometimes, it can be hard to tell the real thing from the imitation. While there are times when this is a good thing, like enjoying an awesome cover band or your mate’s bang-on Arnie impression (‘get to da choppa!’), it also can bring challenges.

Scammers are becoming increasingly sophisticated in trying to lure businesses via email into making payments.

Known as ‘Business Email Compromise (BEC)’, scammers impersonate legitimate businesses in emails designed to take money away.

It pays to know how to spot business email scams so you can stay one step ahead of the scammers.

How it works

  • Scammers gain access to a business’s emails and may pose as a senior member or trusted employee of the business to cause you harm.
  • Scammers may also create fake email addresses posing as a legitimate business.
  • Scammers pretending to be the business will email clients, customers and others to ask for payment and/or confidential information.
  • They’ll change banking details on legitimate invoices so payments are sent to scammer accounts instead of the actual business.

3 signs of a BEC scam

  • You receive an email asking you to click on a link taking you to a webpage asking for your username, password, or personal information.  
  • There’s an urgent request for action, and you’re asked to provide money or personal details quickly or risk account suspension.
  • A business claims to have changed banks since your last payment, and asks you to use a different bank account and BSB this time.

Here’s how BEC happened to Nicky*

ING business customer Nicky received an email in their company inbox. The email claimed to be from an important supplier requesting immediate overdue payment for goods, with an invoice attached saying all deliveries are withheld until payment was received.

The email had the supplier’s logo, contact details and was signed off by their General Manager Alex*, who Nicky was in frequent contact with.

Not wanting to risk supply, Nicky immediately sent payment as per the attached invoice.

The next morning, Nicky called Alex to confirm the overdue invoice payment was received to ensure no delivery disruption.

Alex, however, didn’t know what payment or invoice Nicky was talking about.

Nicky asked for the company’s account number and BSB, and when reviewing the payment and invoice, realised the details did not match.

By this point, the money and scammers were already gone.

* Names changed for privacy.

Specific things you can do

If you have a business or work for one, here are things to help avoid BEC:

1. Be vigilant against phishing

Phishing is a scam type where fraudulent messages (including email) are sent from scammers pretending to be from large organisations you know or trust.

You can be on the front foot against phishing by:

  • Checking message details such as the spelling of a sender’s domain name. Double-check by comparing it to previous correspondence.
  • Using spam and message-scanning services offered by your email, SMS or social media providers to filter potentially harmful content.
  • Exercising caution when opening messages or attachments, and clicking on links from unknown senders.
  • Not providing personal information (such as passwords, usernames, and PINs) to unverified sources.
  • Contacting the business on a trusted phone number, to verify the authenticity of the communication or any key changes relating to payments.

2. Multi-factor authentication

Using multi-factor authentication (MFA) is one of the most effective controls in safeguarding access to computers, systems and online accounts. While scammers may have stolen login info from you, if you have MFA set up, it makes it harder for them to gain full access.

Multi-factor authentication can involve a combination of:

  • Something the user knows (a passphrase, PIN or answer to a secret question).
  • Something the user physically possesses (such as a smartcard, physical token or security key).
  • Something the user inherently possesses (such as a retina pattern or fingerprint).

3. Be proactive in protection

Protecting yourself from scams including BEC is an ongoing responsibility. Ensure your business has a clearly-defined and known process for verifying and validating payment requests and handling sensitive information.

HR, accounts and finance teams may be particularly targeted by BEC given their access to payments and information, so having clear guidance on how to act upon these warning signs can help protect your business:

  • An urgent payment request or threats of serious consequences if payment isn’t made.
  • An unexpected change in bank details.
  • Unexpected payment requests from someone in a position of authority, particularly if payment requests are unusual from this person.

3 steps you can take to stay prepared for business email scams

Whatever the type of scam, always keeping these simple steps top of mind could help prevent you from becoming a scam statistic.

  1. Stop. Before sharing money or details, take a breather to assess if the email actually is from a legitimate business.
  2. Reflect. Ask yourself: ‘Would a real business ask me to act this urgently?’
  3. Protect. Don’t wait to act if things seem fishy – don’t proceed and if you’re an ING customer and notice unusual activity on your account, place your card on hold in the ING App and immediately call our 24/7 scams line on 1800 052 743.

More useful resources

  • ING. For our latest security alerts and more ways ING can help to protect you and your money, visit ing.com.au/security
  • Scamwatch. To report a scam and get up-to-date information on how to avoid the latest scams targeting Australians, visit scamwatch.gov.au
  • IDCARE. For free advice on how to respond to data breaches, scams, identity theft and cyber security concerns, visit idcare.org

ING is not affiliated to any third parties that may be mentioned in the article.  Access to any third party website is at your own risk, and you acknowledge and understand that linked third party websites may contain terms and privacy policies that are different from ours.

The information is current as at publication. Any advice on this website does not take into account your objectives, financial situation or needs and you should consider whether it is appropriate for you. Deposit products, savings products, credit card and home loan products are issued by ING, a business name of ING Bank (Australia) Limited ABN 24 000 893 292, AFSL and Australian Credit Licence 229823. Living Super, a sub-plan of OneSuper ABN 43 905 581 638 is issued by Diversa Trustees Limited ABN 49 006 421 638, AFSL 235153 RSE L0000635. The insurance cover offered by Living Super is provided by Metlife Insurance Limited ABN 75 004 274 882, AFSL 238096. ING Insurance is issued by Auto & General Insurance Company Limited (AGIC) ABN 42 111 586 353 AFSL Licence No 285571 as insurer. It is distributed by Auto & General Services Pty Ltd (AGS) ABN 61 003 617 909 AFSL 241411 and by ING as an Authorised Representative AR 1247634 of AGS. All applications for credit are subject to ING’s credit approval criteria, and fees and charges apply. You should consider the relevant Product Disclosure Statement, Terms and Conditions, Fees and Limits Schedule, Financial Services Guide, Key Facts Sheet and Credit Guide available at ing.com.au when deciding whether to acquire, or to continue to hold, a product. Before interacting with us via our social media platforms, please take a minute to familiarise yourself with our Social Media User Terms https://www.ing.com.au/pdf/Social_Media_User_Terms.pdf.

Did you find this page helpful?

You might be interested