NAB issues warning after attempted business email compromise scam

A recent case of business email compromise involving a NAB Private customer nearly resulted in $6 million being transferred to the account of a scammer.

The customer had requested that a relationship associate at NAB Private transfer the funds into an international account as part of a capital raising round.

Even though the $6 million was being sent to a regular recipient, the relationship associate, Stacey, contacted the client to check that the details were correct.

The customer confirmed this to be the case but asked Stacey to pick up the issue with his accountant, who she then contacted to clarify that the money was supposed to go to an account based in Singapore.

While waiting for a response, Stacey read back over the email chain between the customer and the recipient and noticed changes including a spelling mistake and a different tone.

“I could also see the account had changed to an overseas account and the date of the payment had been brought forward, so there were a few red flags jumping out at me,” she said.

Stacey immediately contacted the customer’s accountant to ensure they didn’t process any payments to the account and prevented the $6 million from being sent to the scammer.

“The supplier’s emails had been hacked by a criminal who then impersonated employees from the organisation,” said NAB executive, group investigations and fraud, Chris Sheehan. 

“They changed the banking details on invoices in the hope of receiving the funds.”

Figures from the Australian Federal Police indicate that, during 2020-21, Australians lost more than $79 million in cases of business email compromise where an organisation’s email account has been taken over by scammers to conduct fraudulent activities.

“Criminals gain access to email accounts by sending a phishing email which appears to come from a trusted organisation or contact,” explained Mr Sheehan.

“This email might request the recipient’s email account username and password, or ask them to click on a link which downloads malicious software onto their device.”

NAB warned its customers and colleagues to remain vigilant and noted that scam emails may come from a trusted contact who has had their account compromised.

While the bank said that it had sophisticated fraud detection software in place, it noted that money is often unable to be recovered in events of business email compromise and that, in this case, it was human interaction that had saved one of its customers from losing $6 million.

“People like Stacey are the first line of defence against fraud and scams,” Mr Sheehan said.

“If you see something that doesn’t look right, investigate it further before you action the request. Customers should verbally confirm all requests to new accounts using publicly available phone numbers to do this.”

Cyber security has been a much-discussed topic in the advice space in recent weeks on the back of the Federal Court's landmark ruling against local firm RI Advice. 

Appearing on the latest episode of the ifa Show podcast, Shane Bell, cyber partner at specialist advisory and restructuring firm, McGrathNicol, said cyber security should be top of mind for advisers and practices. 

“... I think it's clear in the [Court] judgment… if you're doing nothing, you need to do something," Mr Bell said. 

Listen to the full podcast with Mr Bell here.

Jon Bragg

Jon Bragg is a journalist for Momentum Media's Investor Daily, nestegg and ifa. He enjoys writing about a wide variety of financial topics and issues and exploring the many implications they have on all aspects of life.