As the internet and other technologies are opening new possibilities for businesses, they also provide new pathways for criminals to commit crimes. Cyber fraud is on the rise with businesses and their clients being targeted on a daily basis. It is increasingly becoming a major risk for businesses and customers.
How does the fraud occur?
Hackers target businesses known to deal with financial transactions, like real estate agents, solicitors and trades people. Typically, they send an email containing a link or a document to the business, which if opened, infects the businesses’ system with a virus, allowing the hacker to access and monitor its emails.
Fraud occurs by the hackers intercepting emails which contain payment bank account details. The hacker changes the bank account details to their own, then releases the email to the customers. The customer receives a totally legitimate looking email, from an email address they recognise. When the customer acts on the payment direction, they unknowingly transfer funds to the hackers’ account instead of the intended recipient. Hackers quickly transfer funds offshore once they are received and usually, the funds cannot be recovered or traced.
It is important to note that banks make transfers of funds using the BSB and Account numbers only – they do not check whether the name you insert as the “account name” actually matches the name of the account holder. Hackers also have various methods of opening or accessing Australian bank accounts – so the fact that you are transferring to a known bank in Australia is no guarantee the account details are legitimate.
What should I do if my business has been affected?
When a data breach, such as cyber fraud, occurs and involves personal information such as bank details, you should notify the affected individuals and the Office of the Information Commissioner. When you let the people who have been affected know about the incident, you should include recommendations about the steps they should take in response.
You should immediately obtain support and advice from an IT professional, and take steps to trace and shut down the hacker’s access to your systems. You should check whether you hold insurance for cyber fraud events, and if so, notify your insurer of a potential claim.
What should I do if I have transferred money to a hacker?
If you have accidentally transferred money from your bank to a hacker, you should contact your bank immediately, and ask them to take steps to block or recover the funds, if possible.
You can block all further transactions, and report the incident to ReportCyber (at www.cyber.gov.au/report), run by the Australian Government. If you need immediate assistance outside of business hours, you should visit or call your closest police station.
You can also contact ID Care (a national identity and cyber support service) for advice. If you believe your bank has not properly followed your payment directions, you can make a complaint to the Australian Financial Complaints Authority (formerly known as the Financial Ombudsman Service).
In some circumstances, the person whose email system was compromised may be liable to make good the loss.
How can I protect myself against sending funds to the hacker?
It is much easier to protect yourself against a fraud than to try and recover money after the event. To protect yourself, take these simple steps:
- Do not trust the integrity of any bank account information transmitted over email – even if they are on a pdf document, or on an invoice. Hackers can change these details seamlessly.
- Before making a payment, telephone the intended recipient using a known telephone number for them, and ask them to confirm their correct bank account details, and read back the BSB and Account numbers.
- Keep your anti-virus protection up to date, and use strong and unique passwords.
- Be scam aware – subscribe to Scam Watch, run by the ACCC, for updates about the latest scams targeting businesses and individuals.
If this has occurred to you or your business or you want to review your business strategies against cyber fraud, you can contact us by telephoning our office on (07) 3220 2929 or emailing us at contact@plastiraslawyers.com.