A recent case of business email compromise involving a NAB Private customer nearly resulted in $6 million being transferred to the account of a scammer.
The customer had requested that a relationship associate at NAB Private transfer the funds into an international account as part of a capital raising round.
Even though the $6 million was being sent to a regular recipient, the relationship associate, Stacey, contacted the client to check that the details were correct.
The customer confirmed this to be the case but asked Stacey to pick up the issue with his accountant, who she then contacted to clarify that the money was supposed to go to an account based in Singapore.
While waiting for a response, Stacey read back over the email chain between the customer and the recipient and noticed changes including a spelling mistake and a different tone.
“I could also see the account had changed to an overseas account and the date of the payment had been brought forward, so there were a few red flags jumping out at me,” she said.
Stacey immediately contacted the customer’s accountant to ensure they didn’t process any payments to the account and prevented the $6 million from being sent to the scammer.
“The supplier’s emails had been hacked by a criminal who then impersonated employees from the organisation,” said NAB executive, group investigations and fraud, Chris Sheehan.
“They changed the banking details on invoices in the hope of receiving the funds.”
Figures from the Australian Federal Police indicate that, during 2020-21, Australians lost more than $79 million in cases of business email compromise where an organisation’s email account has been taken over by scammers to conduct fraudulent activities.
“Criminals gain access to email accounts by sending a phishing email which appears to come from a trusted organisation or contact,” explained Mr Sheehan.
“This email might request the recipient’s email account username and password, or ask them to click on a link which downloads malicious software onto their device.”
NAB warned its customers and colleagues to remain vigilant and noted that scam emails may come from a trusted contact who has had their account compromised.
While the bank said that it had sophisticated fraud detection software in place, it noted that money is often unable to be recovered in events of business email compromise and that, in this case, it was human interaction that had saved one of its customers from losing $6 million.
“People like Stacey are the first line of defence against fraud and scams,” Mr Sheehan said.
“If you see something that doesn’t look right, investigate it further before you action the request. Customers should verbally confirm all requests to new accounts using publicly available phone numbers to do this.”
