Australian businesses and individuals have increasingly become the target of frauds known as payment redirection scams.
So, what is a payment redirection scam?
Payment redirection scams are frauds where scammers impersonate a business or person to trick another party into paying monies to a scammer’s account. The scammers typically use fake invoices or a compromised email account to trick another party, such as a business or individual, into making a payment to a new bank account being one controlled by the scammer.
According to the Australian Signal Directorate (ASD) in its Annual Cyber Threat Report 2024-2025, email compromises rank among the top three of all self-reported cybercrimes for Australian businesses. See our recent article on the ASD’s Report here.
These payment redirection scams are in reality a form of social engineering which we discussed in further detail here. Whilst social engineering losses are typically considered a ‘crime’ loss under an insurance policy, many cyber insurers provide a social engineering extension or in the case of an actual email compromise, will consider the loss under the cyber policy’s cyber theft coverage.
Bellrock has recently assisted clients involved in such frauds which involved a client’s compromised email account or the client’s own employees being tricked by spoofing emails which mimic legitimate email addresses of an otherwise trusted source. In the recent matters Bellrock assisted on, the scam could have been avoided through basic measures.
Essential prevention measures
For starters, businesses should implement the ‘four eyes’ principle whereby any changes to payment details requires verification by two separate individuals within the business.
As a general rule, any request purportedly from a trusted vendor for its invoices to be paid to a new bank account should be vetted via a verbal confirmation by the payor to a known person at the vendor’s organisation (preferably a person known to the payor in the vendor’s finance department) using a contact number known to the payor which has been used before.
Never use the contact details provided in the same message or invoice as the payment change request as these are likely doctored by scammers. New vendors being paid for the first time should also be similarly vetted and all invoices should be matched to an existing purchase order before payment is processed.
Businesses should pay particular attention to detail in emails as scammers often register similar looking domains with only a single letter or number difference, for example: ‘bellrocksadvisory.com’ instead of ‘bellrockadvisory.com’. Businesses should also be wary of requests purporting to be urgent in nature as this is a common tactic used to speed up an employee’s decision-making leading the employee to overlook the tell-tale signs of poor formatting, typos, mismatched hyperlinks, and low-quality images.
If in doubt as to the legitimacy of any email, businesses are encouraged to report the email to their internal IT Team or their Managed Service Provider (MSP) and implement email filtering tools that can detect and remove malicious emails. Any suspicious or irregular activity in an email account or IT system more broadly should also be escalated to internal IT as soon as possible. If an actual or suspected breach is detected the matter should be escalated to your Cyber Insurer’s 24-hour hotline as soon as possible, and thereafter, to your risk and insurance advisor.
Recent Examples of Payment Redirection Scams
Example 1: A client’s finance employee paid an invoice for a regular vendor albeit the invoice had new bank details which had not previously been used. The finance employee did not verbally verify the new bank details with a trusted person at the vendor. A month later, the client was chased up by the same vendor due to an outstanding invoice.
Upon further investigation by the client’s internal IT team, it became clear that the finance employee’s email was compromised through a likely phishing attack allowing a threat actor (i.e. a hacker) access to the employee’s Outlook account. The hacker then manipulated an otherwise legitimate invoice to add the hacker’s bank account information.
The client was forced to pay the vendor’s legitimate invoice thereby sustaining a loss of $50,000. Bellrock assisted the client with notifying its cyber insurer. The cyber insurer conducted a further investigation, and Bellrock obtained settlement for the loss under the cyber theft coverage available (net of the applicable deductible).
Example 2: A client’s new finance employee received an email directive, purportedly from its managing director, asking the employee to urgently wire $25,000 to an account which was located abroad, advising this was to pay for expenses associated with setting up a new office.
The new finance employee eager to assist the managing director wired the money. It turns out that whilst the managing director was travelling abroad, no such payment request was in fact made, instead the email was a spoof that looked like the managing director’s actual email albeit the spoofed email came from a differing domain address.
Bellrock prepared a detailed submission for the claim under the client’s crime policy which afforded social engineering coverage and facilitated the settlement of the client’s $25,000 loss (net of the applicable deductible).
Lessons learned
In short, proper payment handling protocols can eliminate the risk associated with payment redirection scams. Likewise, routine IT check-ups in tandem with training employees on identifying and reporting suspicious emails such as phishing emails also plays a vital role in minimising the risk of loss. Moreover, consideration of appropriate cyber and crime insurance cover is also imperative.
For more information, please contact your Bellrock Advisor.
