Australia in an ‘Arms Race’ with Scammers: ACCC

Calculating the Cost of Chaos

The annual Targeting Scams Report by the ACCC provides a snapshot into the scale and nature of scams being perpetrated against Australians.

In 2021, nearly $1.8 billion in losses were reported to the ACCC, the Australian Cyber Security Centre, individual financial organisations and other government agencies. When taking into account the fact that around one third of scam victims don’t report to anyone, it is clear that the actual losses are likely to be far higher.

On top of the direct cost of defrauded funds, businesses targeted by scammers face other rapidly escalating costs. Engaging cyber security experts, including forensic and incident response specialists, can be prohibitively expensive. Any attempts to recover stolen funds can result in protracted legal proceedings and exorbitant legal costs. And never assume cyber insurance has you covered – all too often the fine print in cyber insurance policies will exclude losses due to Payment Redirection/BEC scams.

Importantly, it must also be remembered that the true cost of chaos that ensues from being scammed is far more than just financial. When a business is scammed, executives and staff members within the business can suffer anxiety and emotional stress. It can also have life changing consequences for many individuals’ careers. Being scammed undermines a victim’s self-confidence and may cause others to question their competence in their role.

Payment Redirection Scams Skyrocketing

Among the most common types of scams are Payment Redirection scams, otherwise known as Business Email Compromise (BEC).

In 2021, Australians reported losses totalling $227 million through Payment Redirection scams. This represents an increase of 77% over the previous year.

In fact, over 21,000 attempted false billing scams were reported to Scamwatch last year. Given that only 13% of victims report incidents to Scamwatch, it’s clearly a massive problem – and only getting worse!

Regulators, law enforcement and banks are making efforts to reduce scam levels, including:

• Awareness raising through the ACCC’s Scam Awareness Week
• The creation of the Joint Policing Cybercrime Coordination Centre (JPC3) – a new dedicated cyber-crime centre within the Australian Federal Police.
• The introduction of PayID, an initiative of the banks that links someone’s bank account to an easy-to-remember piece of information like a mobile number or email address

Whilst each of these initiatives is welcomed – it’s clear they are not reducing skyrocketing cyber-crime rates in Australia. Any attempt to fundamentally change the way businesses process payments requires substantial investment, new technologies and cultural change. In the meantime, Australian businesses wait exposed to ever growing threats.

The inability to stop scams led the ACCC to renew its call for the introduction of Confirmation of Payee (CoP), an initiative of banks in the UK to match a bank Account Number to the Account Name. However, the Australian Banking Association does not believe CoP technology is worth the investment, nor will it be effective enough to prevent scam payments.

There are a range of commercial, technical and privacy constraints that make verifying banking information across financial institutions logistically very difficult. It is widely believed that the CoP experiment in the UK has failed to live up to expectations.

In the meantime, Australian businesses remain exposed to the growing threat of Payment Redirection, or BEC, scams.

Focus on Prevention

So, if all the initiatives of regulators, law enforcement and banks aren’t adequately addressing the problem, what should Australian business do to protect themselves?

The answer is simple: Prevention!

Preventing Payment Redirection/BEC, scams is critical. Scammers are increasingly sophisticated and finding ways to circumvent your internal controls. They will stop at nothing when it comes to deceiving your Accounts Payable (AP) team into inadvertently transferring funds to them.

We are routinely seeing scammers:

• Hack into email systems in order to manipulate the banking details in supplier invoices
• Use the latest Deep Fake technologies to impersonate a CEO or CFO, in order to issue fake payment instructions to AP staff
• Gain unauthorised access to ERP systems so they can change payment details in ABA files or Vendor Master Files
• Accessing supplier computer systems to manipulate banking data – so despite paying invoices in accordance with information provided by your supplier, and having no control over the security of their systems, you remain liable for any lost funds!

As soon as the experts develop a new security system, the scammers identify a way to circumvent it.

Clearly business leaders are on the back foot in this arms race. However, in order to prevent the scammers, there are three key objectives every CFO or AP Manager should focus on:

1. Ensuring you always have accurate vendor data
2. Finding ways to share accurate vendor data across the payments ecosystem
3. Being able to perform real-time vendor verifications immediately prior to processing a payment

Focusing on these three key objectives requires a great deal of manual work. Busy AP teams often don’t have the resources to focus on them, resulting in corners being cut – putting you at risk.

However, with a digital solution such as Eftsure sitting on top of your accounting processes, you are able to automate achieving each of these three key objectives.

How Eftsure Helps

Eftsure’s proprietary database aggregates and matches payment data from over 80% of active Australian corporate entities. This enables you to know that the bank account data you are using to pay a supplier matches the bank account data used by others when paying the same supplier.

According to Rickard: “Most banks only check the BSB and Account Number. They don’t have a red flag if there’s no match whatsoever between the name and where the money’s going.”

Eftsure provides the critical red flag. You gain visibility over who you are really paying, preventing you from becoming another victim of Payment Redirection scams.

If multiple other Australian organisations are using the same bank data to successfully pay the same supplier, you can be confident that scammers haven’t found a way to manipulate payment data. You can rest assured that you are not inadvertently processing funds to a fraudulent bank account controlled by the scammers.

Best of all, verifying bank account data occurs in real-time, immediately prior to processing a payment. You effectively close any window of opportunity scammers may have to manipulate supplier data.

The Eftsure platform is simple to use. When the supplier bank information you are using matches the information in our database, a green ‘thumbs-up’ signal is displayed indicating it is safe to pay. If the information does not match, a red ‘thumbs-down’ signal is displayed, giving your AP team time to pause and carefully check the payment data.

With over 1,000 Australian organisations relying on Eftsure to protect $8.5 billion in monthly payments, scam prevention has never been easier!

To prevent your organisation from being scammed, contact Eftsure for a full demo.