Sophisticated Scammers Target NFPs
18 August 2016 at 3:51 pm
Scammers posing as chief executives or suppliers have stolen at least half-a-million dollars from Not for Profits and businesses in Western Australia over the last two years, sparking a warning from consumer protection agencies.
Acting director of retail and services at WA’s Department of Consumer Protection Lanie Chopping said Not for Profits could be at greater risk.
“Clearly Not for Profits often have less resources than other types of businesses, therefore it’s possible that their security mechanisms could be less robust in some cases, and therefore they could be easier targets to these types of scams,” Chopping told Pro Bono Australia News.
The department issued a warning on Wednesday, which said two different types of sophisticated scams were being used to target businesses and Not for Profit organisations.
“The first one is what we call the ‘false boss or CEO scam’ where the scammer finds a way to… basically impersonate the CEO or the boss to send an email or make contact with other staff members while he or she is absent from the workplace, asking them to transfer amounts of money for invoices or to third parties,” Chopping said.
“The bank account often looks legitimate but that’s because it’s used by a money mule for example. So it might be an Australian account but then the money will be shifted off to the scammers.
“In relation to that false-boss scam, since 2015 we’ve had 10 reports with losses around $48,000.”
The other scam, which is “more recent and more alarming”, is called payment diversion.
Consumer Protection has had 15 reports in WA since 2015 with losses of around $462,000. This week the Brisbane City Council also lost $450,000 in a similar scam.
“Scammers… try to find out as much information as they possibly can about the people who work in your finance area, their contact details, telephone numbers, identities, and then who you make payments to, your service providers,” Chopping said
“From there they find a way to… intercept by, for example, contacting the accounts payable area and impersonating the payee and indicating that the service provider’s account details have changed and providing updated account details for future payments.
“For people who are on ongoing payments, the first time the business will know about it is when the service provider who usually gets paid doesn’t get their money.
“That can happen in a range of ways, it can happen through phishing phone calls and emails to find out information, or it can happen through email being hacked, or it can happen through invoices being forged with new account details, or it can even happen where bank account details have been hacked and electronic payments have been diverted to the scammer’s account.”
ACCC deputy chair Dr Michael Schaper told Pro Bono Australia News both scams were well known to the commission.
He said the digital age made it easier for scammers to collect information about and build profiles of people and organisations, especially because so much is divulged on social media.
However, he said there were certain preventative measures Not for Profits could take.
“[They] should ensure that effectively there is more than one person paying the bills or signing off on paying the bills,” Schaper said.
“This is really important because [in] most Not for Profits… there’s only a small number of people in there, and they’re often trying to get things done, time pressure and so forth.
“So part of what scammers work on is the assumption that if you send a bill in that looks close enough to the real thing people will be too time pressed to query it. So having a second person check on it is a really useful tool because the first person might be just trying to process things, the second person will go, ‘hang on why are we paying this account to a different bank account?’ So it’s a flag.”
He also said to query anything that seemed suspicious, especially if it was a direction to pay money to a different bank account.
“The important thing there is not to use any of the information that’s come through in the suspicious email or letter, you need to go back and verify it from a trusted source, not from the last email because surprise, surprise, the same scammers… will often have set up a fake email address, even a website and sometimes phone numbers if they’re sophisticated enough,” he said.
“So if you ring the number or go online you’re going to be told it’s perfectly legitimate.”
Schaper said Not for Profits should also be aware of ransomware “where someone downloads something like a zip file that actually captures the organisation’s information and then you’ve got to pay a ransom in order to get it back”.
“One, don’t open attachments if they don’t come from a trusted source, and secondly, backup your information regularly and back it up offline.
“The ransomware one is really important because potentially it could destroy the whole organisation even if you pay the ransom there’s no guarantee you’ll get the [data] back.
“It’s not just your work in progress [that’s lost], it’s your membership, your donors, your supporters. If all that information is lost that’s pretty much irretrievable. So backing up and keeping a copy offline so if you do get contaminated… by any sort of virus you’ve got a secure source, is pretty important.”
Schaper urged the sector to use Scamwatch to report or stay up to date on scams.