What is a payment redirection scam?
A payment redirection scam (also known as Business Email Compromise or BEC) is when a criminal impersonates a business or its employees via an email and asks you to make a payment to an account the criminal controls. The email may be sent from a legitimate business email address that a criminal has accessed. In some instances, your email may have been compromised and a criminal is watching for payment-related emails. The criminals will then send you an email that appears very similar to one you may be expecting, but with the changed account details, in the hope that you will make the payment without checking the change in bank details.
How big is the problem?
The Australian Competition and Consumer Commission’s (ACCC) Targeting Scams indicated Australian businesses lost $91.6 million to payment redirection scams in 2023. Download the Report of the National Anti-Scam Centre on scams activity 2023 (PDF, 767KB), opens in new window or visit The National Anti-Scam Centre website, Scamwatch, opens in new window.
A case study
Jeremy* had recently purchased his first home. He was ecstatic and had been communicating with the real estate agent and the conveyancer regularly via email. He knew he was due to pay the deposit and made sure he had the finances available.
Jeremy received an email advising that he had to pay the funds for the deposit to the conveyancer’s trust account. As Jeremy was expecting a similar email, he didn’t look at it closely and simply transferred the funds.
Not long after Jeremy made the transfer, he decided to call the conveyancer directly and check they’d received the funds. The conveyancer explained he had not sent Jeremy an email. Jeremy then looked closely at the email address and realised it was slightly different to the conveyancer’s. The scammer had created an email account that was very similar to the conveyancer’s but had substituted a “1” with an “i”.
How to help protect yourself from payment redirection scams and BEC emails
- Protect your email account with Multi-Factor Authentication (MFA). This adds an extra authentication layer to your email account. Learn more about MFA.
- If you receive an email or an invoice that highlights changed bank account details, always contact the business or person directly to confirm their details have changed. Contact them through their official channels and not the number included in the email as this could be the scammer’s contact number. A quick phone call can save thousands.
- Consider using a PayID® and ask the person you are paying if they have one. A PayID helps you identify directly who you are transferring funds.
- Learn how to identify phishing messages.
Important information
Apologies but the Important Information section you are trying to view is not displaying properly at the moment. Please refresh the page or try again later.
PayID® is a registered trademark of NPP Australia Limited.