Beware the BEC Scam!

Statistics recently published by the ACCC show that over the last ten years the number of scams involving email, text messaging, social media and/or phone contact by the perpetrator has increased by a factor of ten.

One area of particular concern, which resulted in almost $60M in losses over the past year in Australia alone, is business email compromise scams or BEC’s.

BEC’s typically involve a hacker gaining access to a business’s email or IT system and impersonating a member of the staff. Using the access and assumed identity they then email a client or subcontractor of the business and request that future payments of invoices are made into a different account to the business’s usual operating account. The new account will be an account set up by the scammer. The business will have no idea that the hacker is actively using its email for such purpose and the fraudulent email sent by the hacker is almost indistinguishable from legitimate business emails. The hacker has likely been watching and intercepting and reading emails for months waiting for a windfall payment to become due before instigating the ruse.

The end result is that the invoiced amount is paid into the hackers account. That account will be an account created at a local bank using false ID. Once the money hits the local account, it is immediately transferred out of the country and becomes almost impossible to trace.  

To deal with this problem, a number of high-tech solutions are currently being rolled out by business software providers. In the legal/conveyancing sphere there are many new products which the legal professional and/or real estate agent can subscribe to which “invite” all the parties to a transaction to participate in the transaction in a secure environment. One such example of such software is ‘PEXA Key” which Mornington Legal is adopting for conveyancing transactions. The software architecture allows each user to enter their bank details in to the application, which then cannot be changed without two factor authentication by the participant using text message, phone or a second email account. 

But if you are a small business that can’t afford these sorts of solutions, how do you protect yourself against these scams? The easy answer is that you should always double check any account details supplied to you by telephone. Whilst this may seem like an annoying waste of time and unnecessary double handling, it can save the heartache and cost of trying to chase monies which have been paid into a fraudulent bank account. 

And whilst it is true that the authors of such scams like to target high yield transaction firms like property conveyancers or the like (ie because a single hackable transaction will often be in the hundreds of thousands or millions of dollars) we have heard of instances of hackers targeting much smaller payments between unlikely businesses in the low tens of thousands. The lesson is that everyone needs to be on guard against these types of scams.

Insurance is another option, but many policies will differentiate between “phishing” scams and “hacking” scams.  In circumstances where tens, or even hundreds of thousands of dollars have gone missing, arguing with your insurance company about whether a scam is classified as phishing or hacking could be not only infuriating, but debilitating for a business. Also, insurance companies may take months to pay out. This can be of little comfort where a business is in immediate need of funding to complete a transaction. 

By way of aside, a phishing scam usually involves someone clicking on a link which is fraudulent (ie it involves participation of the victim), whilst a hacking scam involves a hacker gaining illegal access to a server or system without the knowledge of the victim. Depending on your policy, insurance claims for hacking are likely to be more successful than those for phishing. 

One other legal curiosity is the real difficulty in identifying the victim of the fraud. For example, consider the following:

Company A owes Company B $10,000.

Company B’s email is hacked and used to send an email to Company A directing Company A to make payment to a hacker’s account.

Company A pays the $10,000 into the hacker’s account.

In these circumstances, who is the victim of the scam? 

From which company was the money stolen?

Is Company B the victim because their email was hacked?

Is Company A the victim because the money that they were going to use to pay Company B was stolen?

Does Company A still owe Company B the outstanding sum?

The difficulty from a policy perspective is that Company B needs to be responsible for the upkeep of its software and IT services which would otherwise prevent the hacker gaining access. Meanwhile, as Company B never received the payment from Company A, Company A remains liable for the outstanding amount. It therefore seems inequitable and unconscionable to pursue Company A for money which it thought it had paid in good faith to Company B.  What would be the situation if the representations containing the fraudulent bank account details were made by a con-artist in person rather than via email. These are the types of issues which as a result of modern tech are now being tested in the legal system.

If you would like more information please contact us.

This article was written by , and published within the category: Articles.

You can also find further information in our: Children and Family Law - Frequently Asked Questions, Children and Family Law, Family Law Property - Frequently Asked Questions, Family Law Property, Child Support, Divorce, Purchasing Property, Selling Property, Subdivisions, Business Sales and Acquisition, Building And Planning, Small Business, Debt Recovery, Leases and Agreements, Power of Attorney, Wills and Estates Planning, Probate and Guardianship sections.

If you require advice, assistance or guidance, in any legal matter, please call today on (03) 59757611 or Enquire Online.