Security Alert – Invoice Scam

The ADF wishes to remind all customers to beware of invoice email scams as they can result in potentially large losses if not detected.

This scam involves scammers pretending to be legitimate suppliers advising changes to payment arrangements or bank account details held on file. The scammer will send an email which is disguised to appear almost identical to the legitimate suppliers’ email advising updated account information and potentially requesting payment.

How the scam works

This is quite a sophisticated scam where the scammers work very hard to make you believe the account details and payment requests are legitimate.

  • Scammers hack into supplier email accounts and obtain information including customer lists, bank details and previous invoices.
  • Your school or parish is then sent an email which appears as though it is from a known supplier requesting a change to the usual payment details and may also include a request for payment.
  • The scammers either disguise the email address they are sending the email from or they have created a new address that appears almost identical to the legitimate one, this is called ‘spoofing’. Spoofed emails can be quite difficult to detect. For example the legitimate address is bob.smith@abctrading.com.au and the spoofed address could be bob.smith@abctrading.com or bob.smith@acbtrading.com.au
  • The scam email will also often contain a copy of the suppliers logo, use the same message format and style and in some cases may even include an attachment on company letterhead which they obtained as part of their hack. It may even contain links to websites that are convincing fakes of the suppliers real website.

How to protect your school or parish

There are a number of steps that your business can take to protect yourself from scams of this nature.

  • Educate your employees on this type of fraud, ways to detect potentially fraudulent emails and invoices as well as what to do if they receive one.
  • Double check email addresses, if you look closely you should be able to spot a fake.
  • Have a clearly defined process for verifying and payment accounts and invoices which tracks goods/services received and reconcile this to invoices.
  • If you think an email you have received is suspicious, DO NOT reply. You should call the company on contact details that you already have on file or ones you have found in the phone directory, not the ones provided in the email.
  • If the account details provided on the invoice or payment request are different from those used previously, call the company to confirm.

Additional information on this scam and how to protect your school or parish can be found at https://www.scamwatch.gov.au/news/invoice-email-scam-now-targeting-australian-businesses

If you are concerned that you may have been a victim of this or any other scam, please contact the ADF immediately.