Bill scam: Why you should check invoice details before paying
If you received an email invoice from a business you were expecting, would you just pay it online without thinking? Or would you call to check the bank details with the supplier first?
The Australian Competition and Consumer Commission (ACCC) is urging you to do the latter after a recent rise in the amount of money lost to payment redirection scams.
While the number of reports to Scamwatch about this type of fraud has dropped by almost 30 percent compared with the previous year, the amount of money defrauded has risen, with Australians losing more than $16 million.
This represents a three per cent increase from the previous year, with ACCC Deputy Chair Catriona Lowe saying that criminals are becoming more sophisticated and targeted in their approach.
So, what is a payment redirection scam, and how can you avoid falling victim?
What is a payment redirection scam?
A payment redirection scam, also known as invoice redirection fraud, is a scheme where a scammer tricks you into sending money to a fraudulent account instead of the intended recipient. They often impersonate a trusted business contact through email. They will then give you instructions on how to pay an invoice or bill with the business’s name but their own account details.
This racket is widespread in transactions where significant money is involved. Scamwatch noted that many complaints come from consumers paying bills with these industries:
-
- Real estate
- Lawyers
- Construction
- Car dealerships
- Travel
Payment redirection scams are tricky because they play on trust and familiarity. Scammers can spoof email addresses to look like they're coming from a legitimate contact. They might even mimic writing styles or use information gleaned from data breaches to make their communication seem authentic. The routine nature of payment processing also allows scammers to exploit buyers who become complacent about checking details and request legitimacy.
How can you protect yourself from invoice redirection fraud?
Don’t rush the payment. This is the most important step to protect yourself from payment redirection scams. These scammers often try to create a sense of urgency. Resist the pressure and take the time to verify everything before sending any money. Make sure you:
Scrutinise the invoice
Carefully examine the invoice for any inconsistencies. Look for typos, mismatched logos, or unusual formatting compared with previous invoices from the same vendor.
Double-check the company name, address and, most importantly, the bank account information. Sometimes, a single character change can differentiate the legitimate email address from the fake one. For example, instead of [email protected], you'll see [email protected].
Call the business
It might feel like an extra step, but that quick call to verify the payment could save you a world of trouble.
If anything seems off about an invoice, especially a request for new bank details, call the supplier directly using a phone number you know is correct (not one provided in the email). Verify the invoice details and any changes to their bank account information.
Use PayID instead
If available, consider using PayIDÂ for payments instead of bank account details. PayID uses unique identifiers like phone numbers or email addresses linked to a bank account, making it more difficult for scammers to redirect payments.
Be alert and stay updated
Scammers constantly change their tactics. Check reputable sources, such as government consumer protection agencies or financial institutions, to stay informed about the latest scams and red flags.
Who’s liable for fake invoices?
Invoice redirection fraud can leave the payer and the payee in a difficult situation. The victim who pays the fraudulent invoice loses the money, while the business may be left chasing an unpaid invoice from the customer.
Unfortunately, Australia's legal responsibility for invoice redirection fraud is unclear. There haven't been many court cases on this specific issue. One case suggested the victim might be responsible for the loss. The court reasoned that the victim could have prevented the fraud by simply calling the business to confirm the bank details before making the payment, highlighting the importance of buyer vigilance.
However, it also raises concerns about placing the entire burden on the victim, especially considering the sophisticated tactics scammers can use.
Given the lack of clear legal precedent, we must demand better from our government. Clearer legislation around liability in invoice redirection fraud cases would provide much-needed security for businesses and individuals. It would also incentivise businesses to implement more robust security measures to protect themselves and their customers.
Until then, vigilance and robust security practices remain our best defence against this growing form of cybercrime.
Can you get your money back if you’ve been scammed?
Unfortunately, recovering funds lost to invoice redirection scams can be complex and uncertain, as Simon Elvins’ story demonstrates. Elvins lost more than $200,000 to scammers, which he raised with his bank, Westpac. Weeks later, the bank recovered only $270.70.
Chris Sheehan, a fraud expert at NAB, pointed out that recovering stolen funds becomes much harder if the bank isn't notified of suspicious activity within 10 days. This is because scammers can move the money quickly.
Banks say they are taking steps to mitigate the risk. Westpac, for instance, has introduced Verify, a system that alerts customers about potential mismatches between account names and new payee details. The bank holds the transaction for four hours and notifies the customer of the discrepancies. If the customer doesn’t take action within that time frame, the transaction proceeds as usual.
However, such systems may not be universally implemented or may not catch every instance of fraud. This isn't surprising, considering recent statistics show banking institutions receive the most complaints about financial firms, with unauthorised transactions being the most common issue.
To reduce the risk of sending money to a scammer's account, banks and experts highly recommend using PayID, as the recipient's information is clearly presented before the payment is authorised.
What do you do if you suspect payment redirection fraud?
Stop the payment (if possible)
If you haven't already sent the payment, don’t proceed. Contact the supposed sender of the invoice using a phone number or email address you know is legitimate (not the one provided in the suspicious email). Verify if they actually sent the invoice and confirm the correct payment details.
Alert your bank
If you’ve already processed the payment, file a fraud claim with your bank as soon as possible. Provide them with all the details you have about the fraudulent invoice, including emails, phone numbers, and account information. The sooner you report, the higher the chance of blocking the transaction. Then, alert the business involved.
Report to authorities
Consider reporting the scam to ScamWatch; it helps track and potentially prevent future scams. If you think your account was compromised, report it via ReportCyber.
Lodge a complaint with Handle My Complaint
If you're dissatisfied with the response to your fraud claim, let us handle it. We're an independent dispute resolution scheme (EDR) specialising in resolving various product and service complaints. Over the years, we've helped thousands of Australians find solutions when no one else could.