The pandemic has proven fertile ground in Australia for cyber crime, with our increased reliance on the internet providing numerous opportunities for cyber criminals.

In fact, a cyber crime was reported to the Australian Cyber Security Centre every eight minutes in 2020-21. That’s nearly 13 per cent higher than the previous financial year, resulting in more than $33 billion in reported losses. As many cases go unreported, the real number of incidents is likely far higher.

Yet despite such huge losses, cyber crime remains a vague threat to many of us – until we’re personally affected.

Take one of our NAB Private clients, who came close to losing $6 million on a multimillion-dollar property settlement in March this year. He happened to be doing something he often does – transferring money overseas. What’s more, the recipient was a lifelong friend.

The only problem was that this time, cyber criminals had inserted themselves into the process, taking control of his friend’s business email account in an attempt to redirect the funds into a bank account they controlled.

A red flag

Our client knew nothing of the attempted scam except that that his friend was apparently no longer using his NAB account to accept the funds, instead asking for them to be sent to a bank in Singapore.

Indeed, no-one questioned the transaction at all, until one of our NAB Private Associates, Stacey Boulden, noticed the misspelling of a word in an email to our client from the recipient’s ‘accountants’.

“When our client asked to make this transfer, everything seemed pretty normal,” Boulden recalls. “It was consistent with other transfers he’s made in the past and was to a regular recipient.”

However, just to be sure, Boulden checked with the client and his accountant. What’s more, she asked them to call the end recipient of the funds to confirm the transfer – including the international fees it would attract.

In the meantime, she read through some of the previous emails between the client and his counter party and noticed the word ‘group’ had been misspelt. She also observed that some of the greetings differed and there was a slightly different tone to later emails.

As Boulden explains: “I could also see the account had changed to an overseas account and the date of the payment had been brought forward, so there were a few red flags jumping out at me.”

Her immediate response was to call the client’s accountant to prevent the process of any payments. By doing so, she saved the client $6 million.

Why appearances can be deceptive

So how did this scam nearly happen?

“The emails from our client’s friend had been hacked by criminals, who then impersonated employees from his organisation,” explains NAB Executive, Group Investigations and Fraud, Chris Sheehan. “They changed the banking details on invoices in the hope of receiving the funds.”

Why this type of cyber crime often works so well is that a payer will usually assume the account details on the invoice are correct, even if they’ve been changed. “That’s what can make them difficult to detect,” Sheehan says.

In order to change the bank account details on the invoice, cyber criminals have to take control of the sender’s email account. This can be rather simple, explains Sheehan: “Criminals can send a phishing email which may appear to come from a trusted organisation or contact. This email might request the recipient’s email account username and password to log in to a service, or ask them to click on a link which downloads malicious software onto their device.”

The fact that the email has often been sent from a trusted contact – who has had their own email account compromised – means it often goes undetected. Meanwhile, the criminals can use the compromised email account to send fake invoices, request updates to bank account details, or intercept and alter inbound payment details – as our client experienced.

Vigilance at every level

Unfortunately, business email compromises have been on the rise over the past two years, with Australians losing more than $79 million in 2020/21 alone, according to the Australian Federal Police.

And while NAB has sophisticated fraud detection software in place – and will do everything it can to retrieve the funds – it’s often beyond the bank’s control.

“As a result, the business or person who sent the transfer can be left significantly out of pocket,” Sheehan says.

 It’s why NAB encourages both its colleagues and clients to remain vigilant. “Human interaction in this case saved our client a considerable amount of money,” Sheehan points out.

Here are a number of simple steps you can take to stay protected:

• Make sure you verbally confirm all requests to make payments to a new account by calling the supplier/recipient on a publicly listed phone number. Don’t call the phone number on the invoice/email as these details may have been altered also.
• Use Pay IDor BPay as a fast and secure way to send and receive money. Paying to a PayID also shows you the legal name of the person or business you’re sending money to, so you can confirm it’s the intended recipient. You can learn more at nab.com.au/payid.
• Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account. Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send.
• Use a unique, strong password for each account, and turn on multi-factor authentication (MFA) where possible, especially for important accounts such as email and banking. MFA provides an extra layer of security by requiring an extra piece of information to access your account, helping to prevent unauthorised access.

To find out more about how to protect you and your business from email-based scams and other cyber threats, visit the NAB Security Hub at nab.com.au/security. You’ll find up to date security alerts, articles with practical advice, videos, the NAB Security podcast, and more.