Internet Security

Business to Business** Transactions

22 March 2022 - Updated Security Recommendations for Business to Business** Customers

It has become clear that if you are a business of any size transacting with another business of any size, especially where significant amounts of money change hands on a regular basis, you are a specific target for scammers, predominantly, but not exclusively, by email.

The biggest single issue is related to payments from customer to supplier. There are two common approaches scammers take as follows

  • Gain access to the mailbox of either party and then look for invoices which are fraudulently altered with regard to changing bank details

  • Or they note the link between two businesses and send an authentic looking email from a similar-looking email address advising that the bank details have been changed and advising that all future payments be paid to the new bank account operated by the scammer.

  • The introduction of OSKO (or the New Payments Platform) has been a boon for scammers and a disaster for the business (and the wider) community because the payments are processed by most (if not all) banks in under a minute. In other words, the scammer receives the stolen funds immediately and then immediately transfers the stolen funds out of Australia one way or another and the funds are gone.

A large part of the problem that pretty much all banks are careless with first payments to a new payee. They are all aware of Business Confidence Scams relating to change of bank details yet they take almost no care with first payments to a new payee and simply rely on the authorization code they send to you without realising that scammers can defeat that process easily. All banks have to do is have a safer process for first payments to a new payee and the majority of internet banking scams would fail saving their customers millions of dollars. But they don't, they would rather blame you, the customer, for being scammed. True story.

We strongly recommend that all businesses** take the following action as a matter of urgency

  1. Immediately introduce two-factor authentication (or two-step verification) on all mailboxes used by the business**

  2. Immediately alert all staff involved with the payment of accounts to be alert to any advice regarding a change in bank account details

  3. Immediately alert all customers that under no circumstances will a change of banking details be advised by email, ever

  4. Immediately alert all suppliers that any change of bank details must be on the business** letterhead, authorised by the owner/CEO/Manager of the business** and physically posted to the supplier. It may also be acceptable to use SMS messaging in urgent circumstances.

** This advice also applies to any organisation or individual transacting significant sums of money from time to time.

1 - Two-factor authentication

Two-factor authentication (2FA) goes by a number of different names and there are numerous ways to achieve this. For the sake of these recommendations, 2FA can be as simple as an SMS sent to your phone, but the best method is to install an Authenticator app on your phone.

If your email mailbox is not protected by two-factor authentication, it is very easy for a scammer to gain access if you give up your password. It's much tougher if the scammer has to steal your phone as well

2 - Alert your staff

Not only is important for your existing accounts/admin/office/management staff to be aware of this scam in particular, it is also important than any new staff member in the same area is informed, especially if they are relatively new to your workforce. There will always be new employees who are not aware of internet scams in general and this scam in particular. We recommend the following:

  • Make this a regular agenda item at all staff meetings

  • Include this information as part of your induction process for new staff

  • Create alert posters for your building and display them in a prominent location.

  • Schedule an annual review with all staff members involved in authorising and paying accounts

Make sure your staff are aware that this scam works both ways, on any given day an invoice or email you receive may have been fraudulently altered, and on any other day, an invoice or email you have sent may be fraudulently altered.

3 - Alert your customers

Remind them that you will NEVER advise a change of banking details via email

Remind them that every change of bank accounts and BSB numbers is a risk for the payer and you don't want them to have to pay twice!

Remove your bank details from your emailed invoices, only send bank details via SMS upon a verified verbal request. Once your bank details are in your customers' payee lists the first time, they don't need them again. Unless you switch banks....

Constantly remind your customers that a change of bank details is a portent of doom

4 - Alert your suppliers

This is where it will cost you if there is an unauthorised change to your suppliers bank details, first you pay the scammer and you still have to pay your supplier.

They too need to be careful about advising you of a change in their bank details, if that communication is intercepted, you will be given fraudulent bank details

They need to implement the same regime for updating banking details, many large customers already do this where there is a very secure process for updating bank details and never by email

Let me explain, no, there is too much, let me recap!

  • Knowledge is the key to your defence, the more this topic is discussed, the less likely the scammer will be successful

  • Scammers are finding new ways to steal our money all the time, next years successful scam will not be the same as what worked this year

  • Encourage your staff to check and double-check each other and their supervisors, this is no time for yes men/women!

  • Verify every phone call, every email, every SMS,every web page independently and only trust people you know personally

If you need more information

  • Call us on 08 8682 1666

  • Email, it's OK, I will double-check it was you who sent it!

  • Drop in to 92 Washington Street in Port Lincoln, even in the modern world of computers, it's reassuring to visit a bricks & mortar building with real people inside

Please Note: We no longer include our bank details on our invoices and every invoice includes a warning about first payments to a new payee. If we are not already a payee in your Internet Banking, please call us personally and we will confirm our bank details