• NRL legend swindled out of $800K in cyber scam
• Fears child data stolen in Anglicare cyber attack

He had dealt with the supplier for more than 30 years without issue.

The invoice was for bail wrap, which Falkiner bought in bulk once a year to use on his sheep and cotton farm in the Macquarie Valley in western NSW.

“Our officer manager had received an email saying the supplier’s account details had changed,” he says.

“It was the same bank but a different branch.”

Falkiner had already received the product in good faith and transferred the $98,000 payment by the due date.

“Because I knew the manager (of the supplier), my officer manager assumed it was the real manager,” says the 62-year-old, who runs sheep on his 20,000ha farm near Warren.

A day after the due date, the officer manager of Falkiner’s historic Haddon Rig stud received another email from the supplier inquiring about the overdue bill.

“I said to them ‘here is our letter, we’ve paid it’,” he says.

“They said they hadn’t changed their account details and then the penny dropped.”

Falkiner had become the victim of one of Australia’s fastest-growing cyber crimes – a business email compromise (BEC) scam.

A BEC scam involves hackers cracking into business inboxes, intercepting emails and changing account details so payments are made into fraudulent bank accounts.

This type of fraud now makes up 7.32 per cent of all cybercrime in Australia and costs the country about $132 million a year, according to the Australian Competition and Consumer Commission.

“It has been on our radar for the last three years and has been steadily increasing in frequency,” NSW Police Cyber Crime Squad Detective Superintendent Matt Craft says.

MORE FROM AVA BENNY-MORRISON:

Lamborghini lawyer’s last laugh over ‘offensive’ licence plate

Top cop’s new breasts, with thanks to Alan Jones

The main targets are businesses – ranging from multinational corporations to law firms and agriculture suppliers – but it is often individuals who are left ripped off.

Falkiner says that when his staff received the change of account details email, it was all the more believable because of the “hacker” – posing as the supplier – had engaged in some friendly small talk in the lead-up.

He likened it to a form of grooming.

“They befriended our officer manager with a couple of ‘how you going emails’ and ‘don’t forget to pay the bill at the end of the month’,” he explains.

“The letterhead was the same and so was the language.”

This is all part of the ruse.

Often, hackers get access to an email account and watch the communication, looking for any upcoming payments or outstanding invoices they can piggyback on.

Within 24 hours of transferring the payment to an account in Melbourne, it had been wired to the United Arab Emirates.

It was too late for Falkiner to claw back his funds but he enlisted a cyber security analyst to help bolster the cyber protections around his business.

“We changed all our email addresses after that because we had been hacked and they could see what we were communicating about,” he says.

“Now we don’t pay anyone without phoning them first.”

WHAT IS BEC?

The scam ranges from the very basic – mimicking invoices and sending them to businesses from a false account with a similar email address – to the sophisticated.

The latter can involve hacking into a staff member’s inbox, watching conversations between clients and accounts and waiting for the right moment to change bank account details in an email so money is inadvertently sent to the cybercriminals.

The bottom line is impersonating an employee in emails to other employees or clients and asking for the transfer of money for seemingly legitimate reasons.

And it all starts with the click of a button.

The seed is planted when a hacker sends a phishing email en masse to hundreds of businesses and one employee clicks on the link in the email. That unwittingly lets the hacker in.

According to the ACCC, small and micro businesses reported the most BEC scams last year but there have been cases of cybercriminals impersonating chief financial officers (CFO) too.

This year, a small netball club was caught out when the treasurer received a message from ‘the president’ asking for $10,000 to buy new jerseys.

“And they were legitimately buying jerseys because it was the beginning of the netball season,” Supt Craft says.

“That was done and that money was sent away electronically but it was all dodgy.”

In another example, a building company that ordered $500,000 a month worth of concrete was targeted.

GET MORE CONNECTED:

What you get as a subscriber to The Daily Telegraph

Download our app and stay up to date anywhere, anytime

Sign up to our newsletter

The account details on the invoice had been changed but the accounting department had not realised because everything else on the bill was the same.

Supt Craft says the key to clawing back the money is acting quickly.

“We do see a lot of transfers offshore,” he says.

“That’s why we need to encourage people to report it as quickly as possible, because we have very good relationships with the banks.”

SAVED BY QUICK THINKING

Ex-NRL star Ben Elias was one of the lucky ones.

He revealed publicly in August that he unwittingly transferred $860,000 to a fraudster, thinking it was stamp duty payable on a property deal in western Sydney.

The successful businessman was in conversation with who he thought was his lawyer, who asked to transfer the funds into a nominated bank account.

Elias followed the instructions.

It was only after a follow-up call to his lawyer asking if he had received the transfer that both parties realised the bank account was wrong.

The hacker had mimicked the lawyer’s email address with a slight tweak on the end – adding “au”.

“That was the scary thing,” he said at the time.

“They sounded exactly like my lawyer and how he would speak in my email. Nothing seemed out of order.”

The 56-year-old’s quick response meant his bank managed to put a freeze on the money before it was moved offshore.

However, former Real Housewives Of Sydney star Krissy Marsh wasn’t so lucky. She was caught out during the settlement for a $10 million home in Noosa in Queensland this year.

Credit Suisse, who was involved in the financial side of the property deal, received an email from someone purporting to be Marsh’s lawyer.

The email requested the transfer of hundreds of thousands of dollars as part of the property settlement. After the parties realised it was a scam, police allegedly followed the money to a gold bullion dealer in the CBD.

Sydney City Police have set up a strike force to investigate the fraud.

Supt Craft says it was likely a coincidence that two high-profile figures had been targeted by BEC scammers.

“They are doing this all day every day,” he says.

“If you send out 10,000, 20,000 attempts, even if you get one or two for the day, it’s very successful.

“We have seen it around the housing industry because of the amounts involved.

“When you buy a house it is hundreds of thousands of dollars and people are expecting the transfer.”

Unlike other scams, online romance ruses involving Nigerians posing as potential love interests for example, the bank accounts involved in BECs are predominantly based in Australia.

In the past few months, NSW Police have charged more than a dozen people acting as facilitators in a broader BEC scam.

Some of those were on the lower rung of the syndicate and allegedly received the money into a bank account, took a cut and then transferred it on.

Supt Craft says that generally the cybercrime syndicates are divided between these “runners” and those more technically proficient criminals running the operation.

“While it’s OK to get the mules, we also want to cut the head off the snake,” he says.

In 2018, a Nigerian man was caught running a BEC scam from Villawood Detention Centre. Fisayo Oluwafemi, 43, targeted companies such as 7-11 and a law firm in Queensland and generated $1.4 million. Some of that was spent on a Range Rover while the rest was moved around a web of bank accounts, including some offshore.

In some cases, scammers have used email credentials bought on the dark web – for anywhere between hundreds and thousands of dollars depending on the quality – to crack through corporate cyber walls.

The information seeps into the dark web after data breaches, such as the cyber-attack on Anglicare this month.

“That is consistently where we will find credentials and where offenders will go to purchase credentials as a result of a data breach,” Supt Craft says.

PREVENTION

Talking to staff about phishing emails and cyber security is key to keeping BEC hackers at bay.

Any email asking for a staff member’s log-in details or outlining a change of account details should be treated with suspicion.

“Your administrator might send you a request to enter your credentials because there has been a system outage,” Supt Craft says.

“It looks legitimate but you have to stop and think have I been asked to do this by my system administrator before and the answer is no.”

Following up a email invoice with a phone call to the sender is also an easy way to protect yourself against becoming a cybercrime victim.

And if you do get scammed, contact police immediately.