Payment redirection attacks are increasingly targeting Australian individuals and businesses and cost an average of $50,000 per successful attack. They involve an attacker inserting their own bank details into communications to redirect legitimate payments into their own accounts.
Some common payment redirection attacks:
1. A cybercriminal steals a builders logo and sends the builder’s individual customers fake invoices that look legitimate but contain the attacker’s bank details
2. A cybercriminal emails all of a B2B business’ clients, informing them the B2B business has updated their bank details. The cybercriminal waits for legitimate payments from clients to be directed to the new, fraudulent bank account
3. A cybercriminal emails a member of the payroll department, pretending to be a legitimate employee. The cybercriminal has the employee’s payroll record updated with new, fraudulent bank details and waits for the next salary payment to be redirected to them.
Payment redirect attacks often use breached email accounts, stolen logos and software such as Xero or QuickBooks to make legitimate looking documents sent from legitimate email addresses. Often the only detail different from the real thing is the bank details.
How can you protect yourself?
1. Always confirm new customer or supplier bank details, preferably via a phone call. This includes services delivered to a business and individuals, such as tradespeople.
2. Ensure there is a process for validating any changes to existing customer or supplier bank details, preferably via a phone call.
3. Ensure there is a process for approving urgent payment requests, and management is supportive of deadlines being missed if approvals cannot be obtained.
4. Even when invoices for new suppliers have the correct logo, dates, and amounts and come from the expected email address, validate the bank details with your contact via the phone.
