14 March 2024
Invoice scams, also known as false billing or business email compromise scams, are being increasingly reported in the residential construction and renovation sector, the Australian Competition and Consumer Commission (ACCC) has warned.
In 2022, Australians lost a record $3.1 billion to scams, an 80% increase on the total losses in 2021. In the light of this, the government established the National Anti-Scam Centre in July 2023 to make Australia a harder target for scammers. Scammers are getting more sophisticated and it’s becoming increasingly challenging for consumers to stay safe.
In these scams, a scammer impersonates a legitimate construction business and sends fake invoices to individuals or other businesses requesting payment. These invoices are generally sent from an email address made up to resemble the name of the legitimate business.
The invoice includes the scammer’s bank details instead of the account details of the business. Hundreds or thousands of fake invoices may be emailed out in the hope that some recipients will assume it is a legitimate invoice for work/goods/services that they have ordered.
Scammers may pose as a supplier and anticipate that many of their potential victims regularly deal with the business they are impersonating and so pay the fake invoice without checking.
A particularly challenging variation of the scam involves compromise of the business email account. This might occur through a phishing attack (ie a staff member clicks on a link in an unsolicited email) or through what’s known as “credential stuffing” (when the same login details are used for another online service that suffers a data breach).
Both large businesses and sole traders are targeted by scammers in this way. Once the scammer has access to the email account, they are able to see all emails being sent and received by the business, including staff names, customer details, quotes for work, etc.
The scammer may send a quote for work to a potential customer from the compromised account, but include their own bank account details for payment. Or the scammer may see that a genuine quote has been emailed to a potential customer, and send another email from the compromised account with an edited invoice that includes their own bank account details, offering some “apology” for sending a follow-up email so soon.
If the customer accepts the quote and pays the deposit, they pay the scammer, not the construction business. Because the scammer has access to customer and staff names, emailed inquiries, etc., they can “sign off” the email with the name of the staff member the customer had been speaking to, correctly refer to site addresses, and more, making the scam emails very hard to detect.
A business may not know that their email has been compromised until a customer inquires as to why the work they paid for has not progressed. In this variation of the scam, it is the business email account that has been compromised, but the customers who suffer financial loss if they pay the scammer.
Avoiding scams
The ACCC has set up a new centre, the National Anti-Scam Centre, that helps people spot and avoid scams, makes it easier to report scams, improves information sharing to disrupt scammers, works across government and with industry and supports law enforcement.
Use their services to help you identify if something is a scam before it's too late, including 'Is this a scam?' with warning signs to help you identify scams, 'Be scam aware' to help you spot and avoid scams, and 'I've been scammed' where you can get help if you think you've been the victim of a scam.
Major Sponsors
