Payment redirection is a type of scam where cybercriminals attempt to trick unsuspecting individuals into making payments into a fraudulent account. Usually, the name of the account looks legitimate, but the account number is different, making these scams difficult to identify.
Cybercriminals are constantly thinking of new ways to scam unsuspecting customers. That’s why it’s important to be vigilant – 90% of payment redirection scams are a result of successful phishing attempts. Criminals use multiple tactics to trick people – and businesses – out of large sums of money. The only way to protect yourself is to be prepared and to understand how these invoice scams work.
How payment redirection scams work
Cybercriminals have identified a flaw in the banking system – bank account names and account numbers do not need to match for a transfer to be successful. This is the basis for most of these scams.
- Fraudulent parties use phishing tools and social engineering (manipulating individuals into divulging personal information) to gain access to legitimate business email accounts. This could happen to any supplier you deal with, new or regular, making you less inclined to suspect foul play.
- Once the fraudulent party has access to the email account, they intercept emails containing invoices
- They alter the banking details, and sometimes the contact numbers, and resend the doctored invoice to the customer.
- The customer receives an invoice that looks legitimate because only a few details have been doctored.
- The customer – none the wiser – makes payment to the ‘supplier’ with the incorrect banking details.
- As soon as the transaction takes place, the fraudulent party immediately transfers the money to multiple different accounts and the money is gone, without a trace.
Incidents like this often come to light only when the legitimate supplier queries why the payment hasn’t been made yet. Upon investigation, both parties learn that they’ve been compromised.
In South Africa, payments of this nature cannot be traced nor reversed: just another reason it’s vital that you follow these steps to verify all payments before making them.
How to protect yourself
Always verify bank details
Before making payments, especially for large amounts, always verify the banking details. If you’ve dealt with the supplier before, compare the details to an older invoice, or verify the details once and save them on your internet banking. To verify details, call the company’s Financial Department and double-check the banking details on the invoice.
Do not use the contact number on the invoice, as those details may have been doctored as well. Use the contact information on the company’s website. If a supplier’s banking details have changed, ask for stamped proof from the bank.
Understand what you’re paying for
Cybercriminals may use domain spoofing to send you fake invoices. They register a domain that looks very similar to a legitimate business name and send invoices for generic services, like ‘licences’. They may even follow up with a phone call to pressure you into making payment.
If you’re not sure what you’re paying for, follow up internally with your team or phone the company on their website contact number. Research the company online and make sure they are a legitimate business before making any payments.
Be vigilant
Always keep an eye out for phishing attempts and do not share your personal information or passwords with anyone. No trustworthy company will request your personal information (login details, passwords, etc), especially not via email. And be wary of any emails that contain typos or grammatical errors. Check the ‘from’ email address as well – make sure the spelling of the domain name is correct and not a case of domain spoofing. Check that the email address matches the name of the person sending the email.
With these tips, it should be easier not to fall prey to payment redirection scams. Ask questions, verify all banking details and don’t make any transactions unless you’re absolutely sure what they’re for and who the payment is going to. It’s better to be safe than sorry – and out of pocket.
Want to read more on this topic? Find out everything you need to know about phishing here.