What do the Yangebup Progress Association's Carols by Candlelight, the City of Kalgoorlie-Boulder, and customers of builders, settlement agents, and car yards across WA all have in common? They have all been the victims of fraud known as a 'man-in-the-middle' or 'business email compromise' scam.
Reports are that online scams have increased during the COVID period, with more people transacting online than ever before.
WHAT IS IT?
Imagine you are corresponding with a supplier by email. One day your supplier sends you an email asking you to pay your account with them, but letting you know they have changed their banking details and they want to make sure you pay into their new bank account.
The email looks like it comes from your supplier, it has their name in the 'from' field, it has the same subject line and contents of the email discussion you've been having, it is signed by your supplier's contact and uses their logos and signature panel.
You pay the money into the new bank account, then move on with your life knowing that's a bill that's now been taken care of.
A short time later you receive a new email from your supplier asking why they haven't been paid. You tell them that you paid them into their new bank account – and then they tell you they don't have a new bank account.
You immediately contact your bank, who contacts the bank you sent the money to, but the money is gone, the account closed, and the people in control of the account cannot be traced. What is worse, too often the police are either uninterested, or cannot do anything to help anyway.
You have fallen victim to a man-in-the-middle scam, and not only have you lost your payment, you still have a debt to your supplier to pay.
WHAT CAN BE DONE?
The first measures that should be taken are preventative:
- Ensure that you have strong systems in place not just for authorising payments to suppliers – but in how those payments are made. That might mean a system for confirming the precise bank account details any payment is made to, or at least triple-checking payments to a newly advised bank account.
- Ensure that you triple check the actual addresses from which emails are received. It is not difficult to replicate names, logos and signatures. It is much harder to hide the actual email addresses from which emails are received. Sometimes the name of the email does not match with the email address. Sometimes the email address will be subtly different, this could be even as small as a slight change in spelling.
- Ensure your IT security is strong and kept up to date.
The next measures you can take address the impact of a scam if it occurs:
- Make sure your insurance covers online fraud. This type of insurance is available, but is often overlooked. Cyber (or Cyber-crime) insurance might be worth adding to your existing suite of business insurance. Talk to your insurance broker.
- Have a forensic IT examination. This might help identify how your email was hijacked. The most persuasive examples of this type of scam occur when an existing email thread discussing an upcoming payment is taken over by scammers. A good investigation may help you discover the source of the hack, and any weakness in your or your supplier's systems.
WHAT IS THE LEGAL POSITION?
Obviously activity like this is a crime, but in most cases it is impossible to track down the scammers or where your money has gone. Even with Australia's sophisticated banking system and proof of identity requirements. Some legal options for you include the following:
- Report the matter to your bank. Banks now have anti-fraud measures and complaint handling systems. If you act quickly the transaction may be able to be reversed, or the funds frozen.
- Report the matter to the police. If you have been the victim of a scam it should be reported. Local police may be able to help in some instances.
- Report the matter to the Australian Cyber Security Centre at cyber.gov.au's ReportCyber link (replacing ACORN). This is the federal response to cybercrime and will often be the more appropriate mechanism to report online fraud than the local police. They have an online form to complete.
WHAT ABOUT OUR LOSSES?
If the money cannot be recovered, you have suffered a loss. The civil law has mechanisms in place that may be able to respond to assist with that loss.
The most obvious recourse is in the law of negligence. Simply put, if your supplier is responsible for the loss by failing to take reasonable precautions to secure their email networks, then they may have to bear some or all of the loss.
The key here will be in identifying the source of the hack. If you can establish it came from their end, and it occurred because they failed to implement proper IT security, you may be able to claim that your loss (being the money due in the invoice which was paid to the scammer) is equal to the amount that you still owe – and when the amounts are set-off against each other, there is no debt.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.