Email payment fraud: What is it and how to avoid it

As businesses have started using technology more, online payment fraud has become a common problem. Email payment fraud is one of the most common and costly online scams. According to the Australian Competition and Consumer Commission’s (ACCC) Targeting Scam Report, business email compromises cost Australian businesses over $132 million in 2019 — the highest losses amongst all scam types. Over time, this kind of fraud has become more sophisticated, resulting in more businesses falling prey to this costly scam.

In this article, we provide an overview of email payment fraud and steps to protect your business from business email compromise and other interception methods.*

What is email payment fraud?

Email payment fraud, also known as business email compromise (BEC), occurs when someone sends an email impersonating a senior employee or supplier. This email will typically request a one-off payment or ask for you to change the recipient for future payments. Cybercriminals are able to intercept people’s emails by finding gaps and glitches in your business systems and software.

For example, a hacker may intercept an email thread between you and a supplier discussing fees and payment details. Once the hacker has intercepted the exchange, they can redirect the payment to a different account. This usually occurs by changing payment details or intercepting the payment by changing the payment details on an authorised invoice, which is also known as invoice redirection fraud.

Who is liable for invoice redirection fraud?

When someone falls victim to invoice redirection fraud, it obviously comes at a significant cost. As a relatively new area of risk, the legislation hasn’t caught up with a defined process to investigate and determine who is liable for the fraud. If it gets to the point that courts are involved, experts may be brought in to investigate all parties’ computers and systems involved in the transaction to determine where the breach occurred. The ACCC’s website provides a range of information and resources to small businesses about common scams and what to do if you suspect your business has been scammed.

How can you identify a fraudulent payment request

Some online scams are quite sophisticated, and sometimes it can be difficult to determine if an email is fraudulent at first glance. There are a few warning signs you should look out for on any emails that seem suspicious:

• Requests for urgent payment
• Unusual language or formatting, including low-resolution imagery and logos
• The sender’s email doesn’t match the ‘reply to’ email
• The payment details in the email are different to the usual payment detail
• The sender asks you to ignore the usual authorisation processes

How can you protect your business from paying fraudulent invoices?

To mitigate the risk of paying fraudulent invoices, you need to understand how to prevent online phishing attacks. First, if you’re unsure if an email or request for payment is legitimate, take steps to double-check the request. You should call the sender to confirm they sent the email. When you call the sender, make sure you use the number you have available, not contact information listed on the email. Further, never reply to an email until you’ve confirmed it is legitimate. If you determine the email is suspicious, escalate it with the appropriate people in your business and let the sender know they may have had a cybersecurity breach.

It’s also important to remember that you may not be the only recipient of fraudulent email or request for payment. You should also educate your employees, so they know what to look out for in the event of email payment fraud. Other processes, such as implementing a multi-person approval process when paying new accounts, are also good ways to protect your business. You can also add this approval process to any payments higher than an agreed-upon threshold. Staying up to date with popular scams will also be helpful for you and your team.

Put strong payment protections in place with Spenda

Spenda’s platform provides the secure infrastructure that businesses need to send invoices, make payments and manage their finances effectively. With our invoicing and payments platform, while customers need to input their details, this information remains secure and is securely sent to a payment gateway, which sends the Payment to the Supplier. This not only minimises the risk of error, but it mitigates the risk of cybercriminals intercepting your systems. Further, Spenda’s intuitive payment interface means you never need to share credit card or bank details over the phone or via email. Simply enter your information in the secure payment interface and payment will occur.

Our approach to security

Security is a fundamental part of the way we build software at Spenda. All of our software engineers are accountable for ongoing cybersecurity risk awareness within the software domain, and ensure all software solutions are designed, built and maintained to the highest security standard. Our products support two-step authentication (2SA) for enhanced protection against unauthorised access.

In addition to our own internal security testing, Spenda’s products and services are also regularly (at least yearly) tested by independent external security consultants who perform penetration testing and other security assessments on our applications and cloud infrastructure. This approach allows all of a business’s transactions to be securely created, stored and audited within the Spenda infrastructure, and also sent securely across encrypted HTTPS channels to external parties or payment gateways, such as Fiserv.

Contact us today to learn more about Spenda’s solutions and how they can benefit your business.

*This article is for general information purposes only. Consult a qualified financial advisor regarding any changes to or decisions about your business’s finances.