Fraudsters and cyber criminals are ramping up their attacks during the festive season. Awareness and action are your best defence. Here's how to spot, stop, and respond to the top digital scams targeting your business.

1. Business Email Compromise (BEC)

Business Email Compromise (BEC) occurs when criminals use social engineering to access email accounts, impersonate the owner, and launch further scams – often by tricking employees into revealing login credentials or MFA codes.

• How to spot: Be on the lookout for phishing attempts, such as emails or messages pretending to be from trusted sources asking for login details, passwords, or Multi Factor Authentification codes (MFA). An example being requests that seem urgent or unusual should raise suspicions.
• How to prevent: Ensure MFA is enabled on all email accounts and train employees to never share authentication codes. Emphasise the importance of verifying any unexpected login requests or password resets with the IT team.
• What to do next: If a BEC occurs, immediately investigate (or seek help) to determine whether data has been accessed or compromised. Look for evidence of fraudulent activity, such as fake invoicing or phishing emails sent from the compromised account. Implement measures like password resets and additional security controls and check that the email is not forwarding anything to email domains you don’t recognise.

2. Fake invoice scams

In this scam, fraudsters send fake invoices that appear to come from legitimate suppliers, tricking businesses into transferring money to the wrong account. Often, these invoices are sent from compromised email accounts of trusted suppliers.

• How to spot: Look for discrepancies in invoice details, such as changes in payment account numbers or slight differences in the sender’s email address. Unsolicited invoices for services or goods you didn’t order are another clear warning sign.
• How to prevent: Verify payment details with suppliers through a trusted channel before processing invoices, especially if the payment account details have changed. Train your finance team to follow strict approval processes and call who normally sends you invoices. Check that the phone number has not changed, and that you are calling the right person.
• What to do next: If you’ve paid a fake invoice, contact your bank immediately to attempt to reverse the transaction. Notify your supplier to confirm their accounts have not been compromised and report the scam to places like ScamWatch.

3. Fake subscription scams

These scams involve fake renewal notices for subscriptions, domains, or software licenses.

• How to spot: Be wary of vague emails requesting immediate payment for subscriptions you don't recognise. Fake notices often use generic terms like "service renewal" and create a sense of urgency, especially during busy seasons, to pressure you into taking quick action.
• How to prevent: Keep a detailed record of all subscriptions and their renewal dates. Avoid clicking links in unsolicited emails; instead, visit the service provider’s official website to verify details.
• What to do next: If payment details have been shared, notify your bank and review your accounts for unauthorised charges. Update and educate your staff on the scam to prevent repeat incidents.

4. Tech support scams

Fraudsters pose as IT technicians, contacting businesses to “resolve” fake system issues while gaining unauthorised access to devices.

• How to spot: Unsolicited calls or emails from IT providers claiming your systems are compromised. Legitimate IT providers will rarely contact you unprompted or ask for remote access.
• How to prevent: Train employees to never allow remote access unless verified through your internal IT team or trusted provider. Keep your software and systems updated to reduce vulnerabilities.
• What to do next: If remote access has been granted, disconnect the affected device from your network and contact your IT provider immediately to assess for malware or unauthorised changes. Check that your cloud accounts have not been logged into.

5. Charity scams

Scammers take advantage of the holiday season by posing as charities and soliciting fake donations.

• How to spot: Watch for high-pressure tactics, unregistered charities, or requests for unconventional payment methods like cryptocurrency or gift cards.
• How to prevent: Verify charities through the Australian Charities and Not-for-profits Commission and donate only through official websites.
• What to do next: If you’ve been scammed, notify your bank or card provider immediately, monitor your accounts for fraudulent charges, and report the scam to ScamWatch.

6. Social media scams

Fraudsters create fake social media accounts impersonating businesses or hijack legitimate accounts to target customers.

• How to spot: Watch for suspicious activity, such as posts offering unrealistic discounts or complaints from customers about unusual interactions.
• How to prevent: Secure your accounts with MFA and monitor for fake profiles. Inform your followers about how to verify official accounts.
• What to do next: Report fake accounts to the platform, inform your customers, and review and tighten your account security settings.

7. Employment scams

Scammers impersonate your business to offer fake jobs, tricking applicants into paying money or sharing personal information.

• How to spot: Fake job offers often require upfront payments or promise unrealistic benefits.
• How to prevent: Use trusted platforms for job postings and clearly communicate your hiring process. Monitor for unauthorised job ads using your business name.
• What to do next: Notify affected applicants, report fraudulent job ads, and implement monitoring tools to detect misuse of your brand.

8. Deepfake scams

AI-generated videos or audio recordings impersonate business leaders to trick staff into taking unauthorised actions. These deepfakes are also used to blackmail or use your brand to influence your customers.

• How to spot: Be cautious of requests deviating from standard procedures or demanding secrecy, especially if they seem to come from a senior executive. Unfamiliar videos or audio posts, or those that feel out of character, should raise suspicion.
• How to prevent: Develop a deepfake and AI incident response plan, detailing steps like who to contact, how to request takedowns of fake material and how to prove media wasn’t real through digital watermarking, etc.
• What to do next: Activate your response plan, report the incident to legal teams, and consider contacting police and ScamWatch.

9. AI-Generated fake websites

Scammers use AI to create fake websites that mimic legitimate businesses, aiming to steal data or money. This is particularly pertinent for e-commerce shopfronts.    

• How to spot: Look for subtle URL differences, inconsistent branding, or low-quality content. Regularly search for websites that are similar to yours.
• How to prevent: Use monitoring tools to track unauthorised mentions of your brand online. Protect your site with SSL certificates and distinctive branding. Regularly check for websites with similar names.
• What to do next: Report fraudulent sites to hosting providers and search engines. Notify your customers to prevent further confusion.

Stay vigilant to protect your business, employees, and customers. Make the "how to spot" tips part of your daily routine.

Regularly check trusted resources like the Australian Cyber Security Centre, ScamWatch and Stay Smart Online for updates on new threats. Most importantly, educate and empower your team to recognise scam signs, follow prevention protocols, and report suspicious activity immediately. Share this article with your staff to keep scams top of mind as we approach year-end. Together, we can foster a safer environment for businesses during this busy season and beyond – by staying vigilant.

Brenton Steenkamp is the lead partner heading up Clayton Utz's cyber security practice. Andreas Ostenfeldt is a highly experienced cybersecurity expert, specialising in cyber crisis management and incident response.