The Australian Federal Police is urging businesses and individuals to be alert to the threat of Business Email Compromise (BEC) as many organisations return to remote working because of COVID restrictions.
BEC is a persistent threat worldwide. In Australia, the impact of BEC scams on victims is significant, with financial losses totalling more than $79 million in the past 12 months.
BEC is a fraud technique used by offenders to redirect legitimate fund transfers to alternative accounts. Most commonly, offenders will intercept legitimate emails or invoices from known transaction partners and change banking details to include fraudulent payment information.
The victim will then unsuspectingly transfer funds to the offender. BEC often goes unnoticed until the intended recipient of the funds enquires about the missing payment, or the victim becomes aware that the funds have been deposited incorrectly.
The AFP and our law enforcement partners formed a BEC taskforce in January 2020 to respond to the threat. The BEC taskforce is co-ordinated by the AFP's Cybercrime Operations and includes State and Territory Law Enforcement, the Australian Criminal Intelligence Commission, Australian Cyber Security Centre (ACSC) and the Australian Transaction Reports and Analysis Centre.
The taskforce's objective is to coordinate a national effort to prevent BEC scams and disrupt associated cyber-criminal syndicates.
Over the past twelve months, more than 3,300 incidents of BEC have been reported to the ACSC through its Report Cyber portal, with nearly half of those scams resulting in financial loss.
The AFP and its taskforce partners have managed to prevent $8.45 million from being lost from the community under these frauds for the 2020/21 financial year.
In one case in September 2020, the taskforce assisted an Australian business, which was compromised when offenders who claimed to be staff sent internal invoice emails to the company's finance area, but with altered bank details.
The business processed two payments within a few days - transferring $519,545 and then $2,148,938 to a Singaporean bank account. The BEC was discovered after the second transfer. The affected business immediately reported the matter to NSW Police via Report Cyber, who then notified the AFP to intercept the transferred funds.
AFP Cybercrime Operations contacted Interpol seeking assistance to notify Singaporean authorities to place a hold on the account and this was done within a day of the second transfer.
The AFP was advised that the first fund transfer had already been extracted by the offender, but the second had been successfully intercepted by the Singapore Police Force placing the bank on alert. As a result of the intervention and disruption activity, $2.1 million of the $2.6 million was recovered. Enquiries continue regarding the remainder of the funds and who was responsible for the crime.
AFP Commander Cybercrime Operations Chris Goldsmid, said anyone can be a victim of BEC with cyber-criminals using sophisticated techniques to trick their targets.
"Don't be embarrassed if you fall victim, report it immediately to your bank and the police to give us the best chance of recovering your money.
"If you are transferring money online do your due diligence, ensure you are comfortable that you are sending the money to the correct person and account.
"If you think an email is suspicious, make further enquiries. Call and check directly with the business or organisation you are dealing with. It is reasonable to ask questions to protect yourself or your company," Commander Goldsmid said.
