Business loses $300,000 to ‘spoofed’ email scam: How to protect yourself from being impersonated

software saas

Australia’s competition watchdog has warned SMEs to “urgently” review their security and pay systems after one business reported a $300,000 loss to hackers who impersonated staff members at the business.

The scam, known commonly as ‘business email compromise’ (BEC), involves a hacker or cyber crook gaining access to the business email of someone working at an SME, usually either an executive or a staff member working in payroll.

The hacker usually then tells suppliers and customers the business’ bank details have changed, providing them new offshore account details to pay into, resulting in the business’ payments flowing into that account.

Alternatively, the criminal can also use the email account to ask financial staff to pay urgent invoices, again using bank account details which differ to the ones usually used by the business.

The Australian Competition and Consumer Commission’s (ACCC) Scamwatch division has revealed counts of such BEC scams have increased by a third in 2018, with over $2.8 million being siphoned away from Australia’s small and medium businesses.

“This is a very sophisticated scam, which is why many businesses only realise they’ve been caught out once it’s too late,” ACCC deputy chair Delia Rickard said in a statement.

“It’s a scam that targets all kinds of businesses, including charities and local sporting clubs. There is a misconception these scams target just small business, however, the largest number of reports and losses came from medium-sized businesses, including one that lost more than $300,000.”

While BEC scams have been an ever-present threat to businesses across the world, SMEs are often warned about more common scam variants such as phishing attacks or classic virus-centric malware attacks.

However, senior manager at web security business HackLabs Michael McKinnon tells SmartCompany BEC is increasing in prevalence due to both its success and ease of execution.

McKinnon says he’s seen clients who have been defrauded out of six-figure invoices due to BEC attacks, and warns once hackers know a business is an easy target, they’ll keep on trying.

“Once they’ve successfully attacked and gotten money from the business, these crooks will put those businesses on a sort of ‘VIP list’, and continue to attack them even harder,” he says.

“Businesses need to avoid this happening to them at all costs, because once it does they’ll be back again for a second and third payday.”

Reports to Scamwatch show BEC-style scams are responsible for 63% of all businesses losses reported to the ACCC over the past year, with the average loss amount being $30,000.

For SMEs running on razor-thin margins, a BEC attack can not only mean money down the drain but also a potential end to the business. McKinnon also warns hackers with access to an email account can easily reset passwords for any other accounts using the email, opening the gate for further potential compromise.

Unfortunately for business owners, it’s much harder to protect yourself from BEC compared to other scam variants, as spoof emails can come from anywhere even external to the business. McKinnon advises business owners to enable two-factor authentication on their accounts wherever they can, along with implementing training regimes for staff around the risks.

“Security awareness training is very important, so talk to all of your staff and warn them to be extra mindful around this type of attack,” he says.

The ACCC advises businesses consider a “multi-person approval process for transactions over a certain dollar threshold and keep IT security up-to-date with anti-virus and anti-spyware software and a good firewall”.

NOW READ: Perth car dealership loses $65,000 to invoice scam despite best security practices

NOW READ: How fraud works: The successful techniques of scamming


Notify of
1 Comment
Newest Most Voted
Inline Feedbacks
View all comments
David Barnes
3 years ago

This article has reported commentary from an Australian Government (ACCC) body that has been advised that their email scam protection information is factually incorrect. The contact point is documented on my research timeline.

Further to this, after the channel 9 news Woolworth’s email scam story, where the ACCC gave out incorrect information after I had advised them of the information error, I contacted channel to report the facts and the issue with their story with no response.

Here is what you need to know:

1.) Email Domains can be protected against being spoofed. Whilst the DMARC authentication is being rolled out globally ever so slowly, more than 90% of the Worlds email users are protected if the domain owner chooses to implement a DMARC p=reject policy.

2.) The US Government mandated (as have 6 others) and has implemented the technology, which means many Australian Government Apps cannot send email to the US Govt. You now will see some Australian Federal Departments starting to implement the authentication. If you use the community checker and for example use for your search you will see that the Australian Government is aware they can protect citizens but there is no policy.

3.) If a domain is protected and a policy reflected on the web site with a disclaimer to educate customers there is no reason for anyone to be scammed via email again, unless you win the Nigerian Lotto. Simply put can not be spoofed. There are sample policies available on the community project site.

4.) Using a single authentication option with DMARC can be spoofed, there is proof available so you must use the double check for it to work properly.

It would be nice to see businessines getting the correct advice as their continue to lose money and Insurance companies will stop paying out if this authentication is not used. Indeed lawyers are adding it to contracts as from last week.

SmartCompany Plus

Sign in

To connect a sign in method the email must match the one on your SmartCompany Plus account.
Or use your email
Forgot your password?

Want some assistance?

Contact us on: or call the hotline: +61 (03) 8623 9900.