Invoice scams are today becoming all too common. While these scams have been around for over a decade, nowadays they are looking more and more like the real emails they are attempting to replicate. They are well written and cleverly executed to convince to reader to believe and interact with the email. It has become extremely difficult to differentiate from what is a real and what is not and unfortunately, as a small business in Australia, you could be at risk.
How does it work?
Scammers send out fake emails pretending to be from reputable accounting systems such as MYOB or Xero. These emails ask the recipient to download an invoice, which in turn directs the reader to a website or downloads a zip file that results in the unwanted installation of malware on your computer and the theft of your private credentials.
It’s not just fake invoices that are being sent either. Scammers have also been sending out emails pretending to be from government bodies such as ASIC or the ATO. They could be mimicking anything from a business name registration renewal to a reminder to submit a tax return.
Examples of scam emails
At lucent, we have unfortunately seen our clients receive several scam emails, so we have included an example so that your business can know what to look out for.
On the left is an email from MYOB and on the right is an email claiming to be from MYOB. The primary difference between the two is the fake email address that the scam email was sent from. A MYOB email will always come from a MYOB email address – similarly ATO emails will always come from ‘ato.gov.au’ and ASIC emails from ‘asic.gov.au’.
You can also see that the fake email has an option to unsubscribe at the bottom, whereas the real one does not, indicating it has been generated from another system other than MYOB.
As another example, is the below email from the ASIC. The email address is a good indicator of the legitimacy of the email, however it is not an official ASIC email. In addition, the real email clearly states the business name that is up for renewal whereas the scam email does not. Notably, all the links in the scam email directed to the ASIC site, which falsely indicates authenticity, but the actual renewal letter link did not. Also, you can see the scam email has managed to correctly replicate the senders name and details.
How can you avoid being scammed?
With so many well-crafted scams in circulation, it may seem daunting and perhaps near impossible to correctly identify and avoid them, but by being informed, there are numerous ways your business can detect these scams before they have a chance to do any damage.
Always think twice before clicking, and before you pay any invoice or download any file:
- Check for any suspicious signs e.g. an unusual email address, an unsubscribe option or missing contact details.
- Check the email against previous emails from the same sender to look for any subtle differences.
- Hover over the links with your mouse (do not click) to see if the domain destination looks suspicious or unfamiliar.
- Ask yourself if this was an email you were expecting to receive.
- If you are still not sure, contact the company who sent the email via phone to double check with them.
What to do if you think you have received a scam email
If you receive a scam email pretending to be from either the ASIC or the ATO, they both recommended that you forward the fake email straight to them and subsequently delete it from your inbox, sent items and deleted items.
If lucent advisory manage your creditors, you can rest assured. With an expert team of high-qualified accountants and stringent quality controls, we have the capacity to monitor and effectively deal with any malicious invoice emails that we manage on your behalf.