In 2021 ACCC’s Scamwatch received 3,624 reports from businesses regarding payment redirection scams with $13.4 million reported lost, of that $7 million was attributed to small and microbusinesses with small businesses impacted by the highest median loss of $3,812.
The ACCC defined a microbusiness as those with zero to four staff and small business as only having five to 19 staff.
Payment redirection scams involve defrauders impersonating a business or its employees via email and requesting an upcoming payment be redirected to a fraudulent account, said ASIC.
The commission said that payment redirection scammers have a number of ways of implementing their scams, in some cases they hack into a legitimate email account and pose as the business by intercepting actual invoices and amending bank details.
While in other instances scammers impersonate people by using a registered email address that is very similar to one from a legitimate business.
The increase and costly result of scams has led to ASIC re-emphasising steps businesses can take to protect themselves.
The four steps that ASIC provided were, to understand your duties, take action, aim for continuous improvement and remain vigilant.
Within step one, to understand your duties, ASIC said that company directors and business owners need to recognise the cyber-security risk and how to best protect the business, to assist with this ASIC had published a list of cyber-risk governance questions to be considered.
Step two was to take action, this step is for heads of companies to ensure vigorous cyber-security resilience strategies are in place to protect against threats and scams, said ASIC.
Under step three ASIC said that implementing cyber security was not a set-and-forget job but required constant revision and improvement to be able to stay ahead of constantly evolving threats.
The final step, to remain vigilant, ASIC said that businesses needed to constantly be assessing new ways individuals are trying to scam them.
For a business that has been scammed ASIC said it needed to stop sending money to the company, contact its bank, be wary of follow-up scams posing as offers to recoup lost funds and report the scam to Scamwatch.
ASIC said that if your business has been scammed in relation to a financial product or service it needs to lodge a report of misconduct to ASIC, report it to the bank and consider reporting the matter to police.