Skip to content

Email invoice scams, protect yourself and don't lose money

A sad story from rural Australia where a local netball group lost AU$150,000 (US$115,000) when they were tricked into paying an invoice to the wrong bank account, one run by cyber-hackers.  Here’s what happened and how to protect money you’re responsible for.

The volunteers didn’t know their email accounts had been hacked, giving criminals enough information to send a fake invoice.  A trick called a payment redirection or fake invoice scam.

It’s a reminder that online scams aren’t just focused on businesses, but also volunteer organizations, sporting clubs, community groups and even wealthy individuals.

How invoice scams work

Invoice scams take a few forms. In both types, the criminals hack into an email account but don’t do anything immediately.  Instead, they ‘lie and wait’ until they’ve got enough information about the organization to strike.

In some scams, a senior managers email account is hacked and used to send instructions for a bank transfer (usually when the manager is on vacation). The receiving staffer, not questioning ‘the boss’ makes the payment.

This scam is different but also takes advantage of compromised email accounts.  The criminals know there are large payments to be made by monitoring the emails.  They quickly send a fake invoice with their bank account details to redirect the funds.   They can make the invoice look legitimate from the info gathered from the email account and public information.

Protect yourself against payment redirection swindles

There are a few things you can do to protect yourself or organizations you act for.

Two Factor Authentication

Make unauthorised access to the account a lot harder. Properly secure email accounts with two factor authentication.

Regularly changing the password is also a good move but ‘two-fac’ is much better.

Check incoming email addresses

Scammers sometimes work by making a fake address that looks the same.  For example BOBSCONTRACTING@ could be faked as BOBSC0NTRACTING@  (replacing O with Zero)   or @BOBSBUILD becomes @BOBSBU1LD  ( capital I replaced with digit 1).  It’s easy to miss if you’re not careful.

Microsoft could help warn users if Outlook had options to warn if a reply is going to an account not on the Contact/People list.

Beware changes in email or account details

If an existing contact asks you to change their email, phone, mail address or especially bank account details, CHECK with them directly using another communication method (not email).  Give them a call or instant message to verify.

Check before payment

Before paying a bill, call the receiver to verify their account details.  That especially applies to large payments, first time payments or first payment after a change of details.

Another tactic is to make a small test payment first.  This is especially good for overseas transfers that can be difficult if there’s even the smallest problem identifying the receiving bank or account.  Check (but not by email) that the test funds arrived then make the major payment.

Pay by credit or debit card

Consider paying by credit or debit card instead of bank transfer.  The credit/debit card system has fraud protections to allow possible recovery of funds.  Bank transfers have a lot less protections.  Criminals will usually transfer the money from the scam account to many others (often overseas) making recovery almost impossible.\

Coronavirus scams and nasty Word documents
Excel scams for tax time
Office & Windows support scams still going
Beware Office 365 email scams

About this author

Office Watch is the independent source of Microsoft Office news, tips and help since 1996. Don't miss our famous free newsletter.