What are payment redirection scams?

Payment redirection scams, such as Business Email Compromise (BEC), are among the top 3 scams to cause financial harm to Australian businesses.

That’s the startling conclusion of Scamwatch, a service of the Australian Competition and Consumer Commission (ACCC), which received over 1,300 reports of payment redirection scams in 2020, a 44% increase on the previous year.

According to the Australian Cyber Security Centre (ACSC), one category of cyber-incident is increasing at a faster rate than any other: BEC.

In the 2020-2021 financial year alone, the ACSC recorded over 4,600 BEC incidents, with total losses exceeding $81.5 million, a significant 15% increase on the previous year.

Most concerning was the dramatic jump in the average amount lost in a successful BEC attack. It rose a whopping 54% to $50,600 over the previous year.

How do payment redirection scams happen?

At the heart of the payment redirection scam phenomenon sits a critical gap in the Australian banking verification system:

Whenever funds are transferred electronically, the sending bank does not have the ability to verify that the sender entered an Account Name that aligns with the BSB and Account Number they entered.

In fact, the Account Name is treated as nothing more than a comment box, and is essentially ignored by the banks.

Funds are simply transferred to the BSB and Account Number that is entered.

Why is this banking verification gap a serious problem?

Put simply, many senders assume that if the Account Name they entered does not align with the BSB and Account Number they entered, the bank will reject the payment.

This is an incorrect assumption which results in senders simply checking to ensure they entered the correct Account Name without paying too much attention to either the BSB or Account Number.

This verification gap opens up a significant opportunity for scammers.

By finding a way to manipulate the BSB and Account Number, criminals can deceive a victim into transferring funds to an incorrect bank account. All the while, the victim thinks they are sending funds to a legitimate receiver. By the time they realise the error, it is too late. The funds are long gone.

Scammers usually seek to manipulate supplier invoices. Sophisticated cyber-criminals may hack into email systems, Vendor Master Files or ERP platforms in order to manipulate BSB and Account Number information in invoices.

Other scammers engage in social engineering tactics in which they attempt to deceive unsuspecting Accounts Payable staff into changing supplier banking records.

Whichever tactics they use, scammers are all relying on one fact: they can manipulate the BSB and Account Number, whilst keeping the Account Name legitimate. Due to the fact that the banks do not verify that the Account Name aligns with the other payment details, it is relatively easy to commit payments fraud.

What is the ePayments Code?

The ePayments Code is a voluntary code of conduct that most Australian financial institutions follow, that addresses the way digital payments are handled.

Given the rapid change in the digital payments landscape, the Australian Securities and Investments Commission (ASIC) is looking to ensure the code remains fit-for-purpose.

The code discusses how financial institutions should handle mistaken internet payments (MIPs). In cases where a genuine error was made, the banks have taken it upon themselves to assist in funds recovery.

However, the updated code is making it clear that the definition of an MIP does not extend to scams.

In a situation in which an individual or an organisation is scammed into transferring funds to a criminal’s bank account, most of the time the banks aren’t able to retrieve the funds, even though it is due to a structural flaw in the banking verification system that opened the path to the scam.

In our submission to the ASIC ePayments Code review, eftsure acknowledged that the voluntary nature of the code made it challenging to deal with such scams. Nonetheless, with some goodwill on the part of the banks, regulators and organisations that are committed to addressing this problem, such as eftsure, it should be possible to do more to help protect innocent victims of payment redirection scams.

Why won’t banks do more to help victims?

Reports in the media highlight that the banks are reluctant to take full responsibility for scam payments.

In internal documents obtained under freedom of information laws, ASIC detailed “strong opposition” from the banks to proposals for new obligations “to prevent scams or reimburse customers for losses”.

The reporting indicates that whilst the ACCC pushed to include scam prevention as part of the ePayments Code review, ASIC ultimately decided against this after fierce pushback from the major banks.

It is reported that the banks claimed that accepting liability for “preventing customers from falling victim to scams is problematic, as it raises moral hazard issues (i.e. there is a risk that customers take less care if they know they will always be backed by their ADI).”

There is some validity to the banks’ concerns. If payers know they are covered by the bank if they fall victim to a scam, they may be less inclined to implement robust payment controls that help identify malicious activities.

The fact is that a systemic gap exists in the payment verification system used by the banks. Whilst this is exposing people to an increased risk of being scammed, addressing this gap is a challenge that banks around the world are struggling to address. It’s unlikely the banks will be able to fully address this gap any time soon.

Where does that leave scam victims?

At the same time, scammers are becoming increasingly sophisticated. It is not reasonable to expect the vast majority of people to possess all the required skills to identify and block all potential scams.

Whilst the ACCC and the Consumers’ Federation of Australia (CFA) support the introduction of an Account Name checking tool, claiming it would address increasingly prevalent scams, the banking industry argued name-checking would increase “friction” and “substantially delay” payments processing.

However, eftsure believes that name checking, when done in conjunction with industry participants, need not cause friction or delays.

With the right technical solution that aligns with the banking system, a way can be found the protect organisations from such scams.

How can eftsure help?

It is clear that Australian banks are limited in what they can to stem the rise in costly payment redirection scams, such as BEC.

At eftsure, we strongly agree that a tool is urgently required that enables those processing payments to verify that the Account Name, BSB and Account Number are all accurate. This is the best way to ensure that your organisation does not become a victim of the scammers.

Thankfully – eftsure has developed just such a tool!

Sitting on top of your accounting processes, and operating in real-time, the eftsure tool neither increases friction, nor substantially delays payments.

Within moments, your Accounts Payable staff will see whether the banking details they are using to pay an invoice aligns with the information in the unique eftsure database. Our database comprises banking information relating to nearly 3 million Australian organisations. When it comes time to process a payment, you will instantly know whether other organisations have used the same bank details to pay the same supplier. If so, you can rest assured that the banking information is accurate.

Don’t wait for the banks to address the verification gap in their systems. Contact eftsure and start protecting your organisation’s payments today.

Subscribe to our blog

Subscribe to the eftsure blog to receive updates when we post.