Australians have lost more than $64 million so far this year due to scam activity and in the lead-up to the end-of-year crunch, businesses are vulnerable to falling for fraudulent requests hiding between genuine bills and requests.
The corporate watchdog’s Scamwatch tracker reports that of the $64 million lost by Australians this year, millions have gone missing due to fake billing, phishing attempts and business scams.
Over the past year, digital security experts have shed light for SmartCompany on the thinking behind some of the most common schemes hoping to gain a profit by fleecing businesses. In the lead-up to Christmas, here are three common scam types to protect yourself against.
Gift card scams and fake prizes
Social media is increasingly the primary way brands communicate with their customers, but this presents risks in the form of scammers using platforms like Facebook to attempt to mine customer data. Over the past year, retailers of all sizes have been impersonated through prize and gift card scams.
These scams, which have affected the likes of Woolworths and Coles in recent months, promise customers a prize, or notify them they qualify for a gift card or gift voucher because of participation in a loyalty program. Shoppers are then asked to enter their details on a separate web page to claim the prize, with scammers aiming to get financial and personal information from customers.
Earlier this year, baby goods retailer Baby Bunting warned customers not to engage with a Facebook page that asked customers to fill in details in order to win a Baby Bunting voucher.
Branding and digital security experts have warned businesses to be vigilant on two fronts when it comes to these schemes. Business owners should be wary about filling in their personal details in order to win a gift card, and should also keep a close eye on social media so they can warn customers in the event a scammer tries to impersonate their company.
Invoices, emails and phone calls
Across all sectors, business owners are faced with a tonne of paperwork in the lead up to Christmas, making them vulnerable to invoice and email scams.
Over the past year, organisations ranging from Origin Energy to the Australian Securities and Investments Commission have been impersonated through email communications. Common forms of the email scam include businesses being sent a fake invoice for a service they actually receive, resulting in some paying a bill that doesn’t exist into the account of a scammer.
Cyber security experts have also warned businesses about cold calls from service providers asking businesses to confirm personal details. In one case earlier this year, the Australian Competition and Consumer Commission warned consumers to never engage with anyone who calls claiming to be from NBN Co and wanting to set up an internet account. In this scam, callers were mining users’ details and in some cases asking for internet payments in the form of iTunes gift cards.
Sense of Security’s Michael McKinnon told SmartCompany at the time that business owners should be sceptical of anyone calling saying they are from a company like NBN Co and asking for a company’s details.
“Try and determine if they’re a legitimate business. Do they have an ABN or a real phone number?” he said.
The “Business Email Compromise”
The end-of-year rush also involves plenty of event bookings and forward planning, meaning SMEs should ensure staff are wary of “social engineering” scams.
In these types of scams, attackers research the names and details of finance officers or others within an organisation, then impersonate senior staff members to ask junior ones to do things like pay fake invoices.
“Business Email Compromise” or BEC scams typically involve requests for invoice details to be changed or funds to be transferred immediately, according to the Australian Criminal Intelligence Commission.
“BEC requires few technical skills; most effort is spent on social engineering and research on targets,” the Commission said in the report on the issue earlier this year.
Tim Bentley, managing director of security firm Proofpoint, told SmartCompany in August that these types of scams often require little more research than checking staff’s positions on LinkedIn. He says it’s critical staff are warned to double check any requests to complete transfers or pay bills.
“If [staff] are in any doubt, they should make a phone call or get a second opinion from someone else in the office. Make sure they call via a trusted and saved phone number, not through a number provided on the email address,” he said.
“Also don’t list your employees on LinkedIn as being in accounts payable, just say they’re in finance, otherwise you’ll make it easy for criminals.”