The ADF wishes to advise all customers to beware of an invoice email scam that is currently targeting Queensland businesses.
This scam involves scammers pretending to be legitimate suppliers advising changes to payment arrangements or bank account details held on file. The scammer will send an email which is disguised to appear almost identical to the legitimate suppliers’ email advising updated account information and potentially requesting payment.
How the scam works
This is quite a sophisticated scam where the scammers work very hard to make you believe the account details and payment requests are legitimate.
– Scammers hack into supplier email accounts and obtain information including customer lists, bank details and previous invoices.
– Your school or parish is then sent an email which appears as though it is from a known supplier requesting a change to the usual payment details and may also include a request for payment.
– The scammers either disguise the email address they are sending the email from or they have created a new address that appears almost identical to the legitimate one, this is called ‘spoofing’. Spoofed emails can be quite difficult to detect. For example the legitimate address is email@example.com and the spoofed address could be firstname.lastname@example.org or email@example.com
– The scam email will also often contain a copy of the suppliers logo, use the same message format and style and in some cases may even include an attachment on company letterhead which they obtained as part of their hack. It may even contain links to websites that are convincing fakes of the suppliers real website.
How to protect your school or parish
There are a number of steps that your business can take to protect yourself from scams of this nature.
1. Ensure your staff are aware of this scam and understand how it works so they can identify it, avoid it and report it.
2. Double check email addresses, if you look closely you should be able to spot a fake.
3. Have a clearly defined process for verifying and payment accounts and invoices which tracks goods/services received and reconcile this to invoices.
4. If you think an email you have received is suspicious, DO NOT reply. You should call the company on contact details that you already have on file or ones you have found in the phone directory, not the ones provided in the email.
5. If the account details provided on the invoice or payment request are different from those used previously, call the company to confirm.
More details on this scam can be found at https://www.scamwatch.gov.au/news/invoice-email-scam-now-targeting-australian-businesses
If you are concerned that you may have been a victim of this or any other scam, please contact the ADF immediately.