Tax time is a popular period for scammers to target businesses, and over the last few years we have seen increasing numbers of business owners falling victim to scams of varying degrees of sophistication. These can range from relatively small amounts, into the hundreds of thousands of dollars. Unfortunately, in most instances there is often little or no recourse for the victim.
Ensuring that you have adequate controls and processes in your business can help to mitigate the risk of fraud impacting you and your business. Keep yourself one step ahead by being aware of the following types of fraud:
YOUR ACCOUNTS TEAM RECEIVES AN EMAIL ADVISING THAT A SUPPLIER’S BANK ACCOUNT HAS BEEN CHANGED AND YOU NEED TO UPDATE THEIR ACCOUNT DETAILS ACCORDINGLY
This can occur when a scammer tracks email via your business server, thereby learning when a large payment is due to a supplier. Your accounts team updates the account details and makes the payment … however it is to a bank account that has nothing to do with your supplier and the money is gone.
Mitigate risk by having an appropriate level of control around payments and changes to bank account details.
YOUR CUSTOMER RECEIVES AN EMAIL FROM “YOU” ASKING THEM TO UPDATE YOUR BANK ACCOUNT DETAILS
A scenario similar to the above, but with the roles reversed. This time one of your customers receives an email from “you” (as the supplier), advising that your bank account has changed. In this case, the scammer installed phishing software onto our client’s server and had been monitoring emails to identify future payments.
While you can’t control your customer’s IT security or controls, you can ensure that your IT is being managed properly to minimise the risk of scammers tracking your correspondence and activity.
Ransomware scams involve a zip file (or other attachment) being unwittingly installed onto your servers (possibly via an employee), allowing the scammer to take vital information from your server … then holding you to ransom to get it back. Note that it is unwise to pay the ransom as not only is there no guarantee the scammer will unlock your files – the scammer may also infect your computer again if they know you are willing to pay a ransom!
Phishing scams install tracking software onto your servers, allowing the scammer to monitor activity and thereby identify potential scamming opportunities. These files can be received by email, downloaded from a website, or even be included on promotional USB sticks or CDs you’ve collected from a conference or event!
Ensuring your employees understand the basics of IT security and that appropriate IT Risk policies and procedures are in place can help mitigate this risk.
THE CEO SCAM
This involves your accounts team receiving an email ostensibly from the CEO (or other senior manager) via their email address, asking accounts to pay money into a specific account. Needless to say, the email is not from the CEO, and is in fact from a scammer.
Internal business controls can help you to mitigate risk by ensuring that the normal chain of control and management procedures are in place and adhered to at all times (for example, request for funds, authorisation/approval).
YOU RECEIVE A CALL OR MESSAGE FROM THE ATO ADVISING THAT YOU OWE THEM MONEY AND YOU NEED TO PAY IMMEDIATELY!
As far as Fordham clients are concerned, there is never any reason for the Australian Tax Office (ATO) to be in direct contact. In all cases, you should refer any call (or SMS) to your Fordham Partner, who will look after any issue for you. Be aware, we have had an instance where a caller claiming to be from the ATO has threatened to forcefully remove a client’s children from their custody if an amount of money was not paid immediately. While this is outside the powers of the ATO, in the heat of the moment this is naturally a very confronting issue to handle. This is not unique to scammers impersonating the ATO, but can be any government body or other institution that you may deal with (for example, ACCC, AFP, your bank and so on).
WHAT CAN YOU DO TO PROTECT YOUR BUSINESS?
By having appropriate internal business controls and procedures in place, training your staff to know what to look out for, and ensuring your IT environment is being properly managed, you can help to mitigate the impact these scams can have on you and your business. When in doubt, no reputable organisation will object to you checking things and getting back to them, so never rush something that you may not be able to undo.
If you would like more information about how you can structure appropriate internal controls, or if you have any concerns about something that may have happened, please don’t hesitate to contact your Fordham Partner.
This publication has been prepared by Fordham Business Advisors Pty Ltd (Fordham) and Perpetual Trustee Company Limited ABN 42 000 001 007, AFSL 236643 (PTCo). Fordham is part of the Perpetual Limited Group. Perpetual Private advice and services are provided by PTCo. This information is believed to be accurate at the time of compilation and is provided in good faith. However, it contains general information only and is not intended to provide you with advice or take into account your personal objectives, financial situation or needs. You should consider whether the information is suitable for your circumstances and we recommend that you seek professional advice. To the extent permitted by law, no liability is accepted for any loss or damage as a result of any reliance on this information.