The Busselton Tennis Club was recently the victim of cyber theft which resulted in the loss of some money after they were targeted by scammers.
The club’s president Barry House issued a warning to other sporting and community clubs that the scammers used what appeared to be legitimate email addresses, obtained from websites, to send fake invoices for payment.
Mr House said replies were then intercepted by the scammers before reaching the legitimate address and innocent people were drawn into paying funds into what appeared to be a legitimate bank account with a major bank.
“These funds are instantly transferred and the money is lost,” he said.
The tennis club reported the crime as soon as it was detected to the fraud squad and their bankers but the chances of recovering the funds were remote.
Mr House said there was anecdotal evidence to suggest other clubs in the region had also been targeted in this manner.
Unfortunately group insurance policies for sporting clubs usually had an excess of $10,000 for management liability, which was high because of the prevalence of this cyber theft, Mr House said.
“In view of our experience we urge clubs to be wary of placing personal email addresses of committee members on their websites,” he said.
“Be wary of communications by email between members and the general public before paying invoices and always verify requests for payment personally or by phone before transferring money.”
A WA Police spokesperson said this type of scam where fraudsters posed as chief executive officers or third-party suppliers was known as a ‘man in the middle scam.’
The spokesperson said it targeted state government, local government, major utility companies and small, medium-sized and big businesses
“Any person or organisation was equally at risk of cyber theft, it was dependent on the security system employed to protect your computer and the skills, knowledge, awareness and diligence of the person behind the keyboard,” the spokesperson said.
“People were generally the weakest link in any security chain, and a vast number of data breaches are the result of information being lost, or distributed to the wrong person.
“Even the seemingly mundane can have far reaching consequences, particularly where sensitive personally identifiable information is involved.”
The spokesperson said be suspicious of phone calls, emails or letters from a supplier seeking a change to the bank account details you use to pay them.
“Use the correct, verified number from the supplier’s website, or the one you have on file, to call a known contact directly to confirm if the request is legitimate,” the spokesperson said.
“If emailing, type the known email address (double check it) in the ‘to’ section rather than replying to an email received.
“Know that a BSB search, which can easily be done online, will reveal details about a bank account you have been asked to send to.”
The spokesperson said the people behind this scam researched the target organisation (often specifically the area that handles invoices) and its suppliers.
“This research may involve phone calls to the paying organisation asking about the name of an officer in finance or the person who pays invoices,” the spokesperson said.
“The research may involve emails containing links to ‘phish’ for information, potentially by installing spyware on the recipient’s computer or to infiltrate the organisation’s wider network.
“The scammers pretend to be a supplier and contact the organisation about work carried out, or products provided.”
Scammers ask for a change to the payment process, supplying alternative bank account details for the paying organisation’s financial systems.
Bank account details given are for an account the criminals have access to.
“Understandably, in a busy commercial operation, a person may not always take all of the steps that they ought to,” the spokesperson said.
“If a fraudster successfully dupes you into paying, the first step will always be to contact the bank from which you made payment.
“In some circumstances, such as in SWIFT payments, the bank might be able to withdraw the payment if the fraudster has not yet received the money.
“In any event, the bank will be able to apply a trace to the funds which may assist in later recovery.
“Your bank will often be able to provide details of the bank which received the payment, you could approach this bank, seeking information about the identity of the account holder.
“It is rare that a bank will be able to provide this voluntarily given its data protection obligations, but often the bank will agree not to object to an application to the court for an order.”
“You could also consider seeking freezing relief against the fraudster at this time.
“With a degree of luck, you might freeze the funds and be able to recover them pursuant to a claim in deceit or restitution.
“Clearly, the earlier you take action, the more likely it is that recovery will be made (as there has been less time for the fraudster to hide the proceeds of the fraud).”