13 Dec 2019

Beware hacking scam targeting email accounts

Consumer Affairs Victoria has received a new report of the ‘business email compromise’ scam. A home buyer was tricked into making a deposit into a fake account, after scammers had hacked into their estate agent’s email.

How the scam works

In most instances, a client receives an email from the business they are dealing with that includes details of an account to make a payment to.

Shortly afterwards, the client receives a second email from the same email address, telling them that the business has just updated their account details, and to pay into a new account. This second email has been intercepted by scammers impersonating the business, asking the client to send money into an account they have set up.

They have also received reports of businesses that have paid money into a fake account, after receiving an email they thought was from their client or client representative, but had been hacked in a similar way.

If you are a business or consumer and receive an email from a business you are dealing with that includes details of a bank account to deposit money into:

  • be very suspicious if you receive a second email asking you to make payment into another account, even if it is from the same email address. 
  • call the supposed sender of the email to check its legitimacy. If the email has come from a business, consider visiting their office in person. 

Tips to avoid a ‘business email compromise’ scam

Consumer Affairs Victoria strongly encourages consumers and businesses to regularly review and secure their online systems.

To help keep your email accounts safe:

  • consider setting up a two-step verification process with your email accounts. This requires a user to provide more than one type of proof that they are authorised before they can access an account.
  • do not use obvious passwords. Change your passwords, and other verification details, regularly.
  • do not share your email address online unless you need to. Consider setting up an email address just for online transactions, and another for communicating privately with clients and customers.

If you are a business sending account details for customers to make payment via email, advise them to:

  • be very wary if they receive a second email telling them to pay into another account, even if the email comes from the same address.
  • contact your office to check the email’s legitimacy.  

Any business or individual who believes they have been tricked into paying money into an incorrect account should contact their bank immediately.