Dangers of Online Payments

Data breaches, cyber-attacks and online payment interceptions are becoming a common addition to our daily news, as we face what may be considered a technological pandemic of cyberspace.

These attacks often commence from the cyber interception of an organisation’s email, or, by a scammer’s attack on an unsecured wireless network (WIFI), amongst other things. The scammers are then free to compromise data, intercept unsecure invoices or simply edit bank account details to redirect a client’s payments into foreign accounts.

This was a recent occurrence for two unfortunate Tesla customers.¹  Whilst expertise on recognising a cyber-attack, let alone preventing one, is outside of the general public’s knowledge: the concept of ‘keeping informed’ on developments in the area could save you and your organisation from becoming a victim of such scammers, and/or can equip you with knowledge to be able to be better prepared.

Tesla

Tesla has led the race in advance innovative electronic technology in vehicles worldwide, yet has in the last fortnight come under fire for allegations that it has an unsecure and easily intercepted invoicing process. In the last 18 months two Tesla clients have lost a combined AUD $130,000.00+ whilst attempting to pay for the purchase of vehicles via Tesla’s email issued invoices. Whilst initially the customer was required to make a deposit for the purchase via the organisation’s secure website; placing the customers outside of the grasp of the scammers. The subsequent payment was an email with an invoice attached. It was at this point that the scammers have intercepted the email and amended the bank account details of which the funds were to be sent.

One of the victims stated:

“I absolutely cannot understand why Tesla don’t do the invoicing in the payment system through a secure website.   Instead, I was sent an unsecured, editable invoice that anybody could get into and change the numbers, so the hackers didn’t have to create a new invoice. It was just too easy.²

What these customers experienced was invoice scamming, which is also known as Business Email Comprising Scams (BEC).³   It is an increasingly common scam which is not limited to emails but can also take the form of phone calls, SMS or can even be direct messages on Social Media. It is said that the scammers will pass the funds through multiple bank accounts before sending it offshore, making it extremely difficult to trace.⁴ 

The emailing of such a large invoice is a rather unsophisticated technological process which bears consequences on both the customer and the organisation. Such questions arise as to whom bears the loss and can each party recover from the financial damage caused by the cyber-attack?

Who bears the loss? 

Both Tesla customers who were subject to the scam have attempted to recover their losses, however, the results have been disheartening. One customer has been unsuccessful and the other has only managed to recover AUD $17,800.00. Recovering such costs with a lack of evidence of the crime and the inability to locate a scammer poses much difficulties for the courts in making a conviction. It seems that the victims will bear the costs of these scams, hence knowledge and active protection against BEC is important.

How to protect yourself, your organisation and/or your customers

Understanding that BEC is the work of criminals in cyberspace who abuse business processes to scam money or goods is a good starting place. It is a scam we are all vulnerable to, not just large companies or organisations. If you have a phone and/or computer with an internet connection, you too can be a target.

So, implementing protections for those around you or steps to avoid being scammed yourself is the next step. There are some simple steps that can keep you and/or your customers safe:

Secure Payment Options

• Opting for a safe online payment option such as PayPal or Google / Apple pay provide secure platform for your customers.
• One of the safest and most common payment options available are credit cards, which can also offer fraud protection.    

Note: If you are a customer ensure that any online payments you make are made through a secure online platform. For instance, if you receive an invoice via email, be vigilant and call the company’s accounts department or relevant department to ensure the provided bank account details are correct before making any payments.  

Wireless Network (WIFI)

• One of the fastest ways for a scammer to enter your data and intercept emails is by hacking an unsecure WIFI. Ensuring that your server is properly protected and not publicly accessible is feasible.

Note: If you are a customer, be aware that when using a public WIFI your data and the contents of your phone may be at risk to scammers. Opting to use your own internet may be your best option to protect yourself.    

That looks suss!

• Ensure that you keep an eye out for warning signs and take some time to notify your staff and/or customers on what to look out for:
  • A change of bank account details;
  • A sudden demand for payment;
  • Unsecure payment options;
  • Changed email addresses. Particularly a single number or letter added into an email address of which doesn’t look right.   

Lavan comment

In modern and uncertain times, we must remain vigilant. It is important to understand the ways in which organisations can protect themselves, as well as customers, in order to reduce the number of companies / individuals falling victim to scammers.

If you have any questions in relation to Cyber Security or would like advice on Cyber and Data Protection or Cyber Law, please contact Iain Freeman.