For Stacey, a Relationship Associate in NAB Private, customers requesting to make large transfers is pretty normal.

But recently, when Stacey was asked by Brody*, a NAB Private customer to transfer $6m as part of a capital raising round to an international account, her instinct kicked in and she started searching for more info.

“When Brody asked to make this transfer, everything seemed pretty normal,” said Stacey. “It was pretty consistent with other transfers he’s made in the past and was to a regular recipient.”

Just to be sure, Stacey called Brody to confirm that the details were correct. He assured her that they were.

“He asked me to pick this up with his accountant as he was about to catch a flight,” said Stacey, “so I spoke to his accountant to double check he wanted this to go into a Singaporean account.”

“I asked the accountant to call the supplier, the end recipient of the funds, to make sure this was what they wanted as there would be international fees.”

The red flags

As Stacey was waiting for confirmation from the accountant, she read through some of the previous emails between the customer and the recipient and noticed a few changes throughout the email chain.

“I first noticed the word ‘group’ misspelt as ‘gruop’ and the tone in some of the greetings was slightly different,” she said. “I could also see the account had changed to an overseas account and the date of the payment had been brought forward, so there were a few red flags jumping out at me.”

I called the accountant right away to make sure they didn’t process any payments to this account.

It turned out Stacey was right, and she had just saved the customer and the supplier from a $6m transfer to a criminal.

“The supplier’s emails had been hacked by a criminal who then impersonated employees from the organisation,” said Chris Sheehan, Executive, Group Investigations and Fraud. “They changed the banking details on invoices in the hope of receiving the funds.”

Business email compromise

This type of activity is known as business email compromise, and unfortunately, it’s on the rise.

Business email compromise is when an organisation’s email account is taken over by criminals to conduct fraudulent activities such as sending fake invoices, requesting updates to bank account details, or intercepting and altering inbound payment details.

“Criminals gain access to email accounts by sending a phishing email which appears to come from a trusted organisation or contact,” said Chris. “This email might request the recipient’s email account username and password, or ask them to click on a link which downloads malicious software onto their device.”

“Often the email has been sent from a trusted contact who has had their own email account compromised.”

According to the Australian Federal Police, financial losses by Australians impacted by business email compromise totalled more than $79 million in the 2020/21 financial year.

“Once money is sent in a business email compromise event, it often can’t be recovered, despite NAB’s best efforts.” said Chris. “This means the business or person who sent the transfer can be left significantly out of pocket.”

First line of defence

While there’s sophisticated fraud detection software used in NAB systems, customers and colleagues need to remain vigilant and on the lookout.

“Human interaction in this case saved the customer a considerable amount of money”, said Chris. “People like Stacey are the first line of defence against fraud and scams.”

“If you see something that doesn’t look right, investigate it further before you action the request. Customers should verbally confirm all requests to new accounts using publicly available phone numbers to do this.”

“Another way customers can have confirmation about who their transfer is going to is by using PayID, as this shows the legal name of the person or business you’re sending the money to,” said Chris.

Tips for customers to stay protected against business email compromise scams

• Make sure you verbally confirm all requests to make payments to a new account. Use a phone number that is publicly available.
• Use PayID or BPay as a fast, and secure way to send and receive money. It also shows you the legal name of the person or business you’re sending money to, so you can confirm it’s the intended recipient
• Check your email account settings for any auto-forward rules that you didn’t set up yourself, as this can be a sign that emails are being forwarded to another account. Also check the ‘Sent’ and ‘Deleted’ folders periodically for emails you did not send.
• Keep your anti-virus software up-to-date. NAB customers they have access to 6 months free antivirus software.
• Use strong passwords and multi-factor authentication.

For more information, head to Protect your business from email scams.

*Note: Customer’s name changed to Brody to protect their identity.