Why email invoice scams are so hard to solve

- By Collaborative Media & Publishing
When a business falls victim to an invoice fraud, chances are it will never see that money again.
It’s one of the things that make the growing incidence of email compromise scams in Australia such a major problem and challenge.
“As soon as the money has been paid into a scammer’s bank account it is rapidly moved offshore,” says Paul Haskell-Dowland, Associate Dean for Computing and Security in the School of Science at Edith Cowan University.
“The minute that it's gone offshore, the banks really have no authority to do anything. And generally, the police won't investigate unless it's a really large value,” he says. “And even then, if the jurisdiction is outside of their control or influence then you're probably never going to see that money again,” he adds.
Invoice fraud is a growing problem in Australia.
The average loss in a payment redirection scam this year is five times what it was compared to the same period last year, according to the government’s ScamWatch website. Australian businesses reported over $14 million in losses to ScamWatch due to payment redirection scams in 2020.
An emerging trend is that sporting clubs and community organisations are being targeted alongside businesses, ScamWatch said.
In a payment redirection scam, also known as business email compromise scams, scammers impersonate a business or its employees via email, and request that payment for a legitimate invoice is sent to a fraudulent account.
Sometimes the scams are opportunistic, but mostly they are perpetrated by organised cyber criminals. “They are very well motivated and very well equipped,” says Haskell-Dowland.
Usually the business which paid the invoice to the fraudulent account is liable for the loss, because ultimately they haven’t paid the invoice for the goods or services supplied.
However, it’s not always clear cut, because liability depends on where the scam originated – within the business sending the invoice because of a compromise in their security processes, or once the email has left the business.
“Proving where an email got modified is very challenging,” says Haskell-Dowland.
PDF invoices are easily modified
Payment redirection scams can take several different forms. In some instances, scammers hack into a legitimate email account and pose as the business. Or they will intercept legitimate invoices and amend the bank details before onsending them to the intended recipients.
To most people receiving such an email, everything looks legitimate – the email senders and receivers are as they should be and the PDF of the invoice doesn’t look different to usual. But Haskell-Dowland says people are too trusting of PDFs and don’t realise how easily they can be modified.
Once a business has suffered an email scam, they quickly change their practices. One solution is to omit bank account details from an invoice, and instead ask customers to telephone to verify the account details, although this makes for a much less seamless payment experience.
“Another solution is to use something like BPAY, where the recipient organisation’s name is visible to the payer when they enter the Biller Code of the company being paid, or PayID, which uses an email address or phone number for payments on the BPAY Group’s Osko service,” says Haskell-Dowland.
Paying invoices without BPAY is more of a challenge. When a payer enters BSB and account numbers, for instance, there is no confirmation that the right person or business is being paid.
“A bank number and a BSB code doesn't tell you anything,” adds Haskell-Dowland.
It’s a problem businesses will have to grapple with for now. In the longer-term, BPAY Group is working on a solution to help all businesses – not just BPAY customers – ensure they are paying the right person.

Published by BPAY Pty Ltd (ABN 69 079 137 518) email: marketing@bpay.com.au. The BPAY Scheme is managed by BPAY Pty Limited.  When you use BPAY payment products, the BPAY Scheme is paid fees relating to processing costs and BPAY Scheme membership.  Contact your financial institution to see if it offers BPAY payment products and to get the Product Disclosure Statement.  Any financial product advice provided by BPAY Pty Limited in relation to BPAY payment products is general advice only and has been prepared without taking into account your objectives, financial situation or needs.  Before acting on such advice, you should review the Product Disclosure.

Subscribe to the newsletter

Stay up-to-date about the changes in the dynamic payments industry, both in Australia and overseas.

Success! Thank you for subscribing.