Scammers can benefit from impersonating employees or managers of small businesses to trick legitimate employees into providing sensitive information, transferring money, and/or granting access to a business’s systems or network. It is essential for small businesses to be aware of how to detect impersonation scams to prevent any financial or reputational harm to their business.
Impersonation of business owners, who often are easier to impersonate as they may have publicly available information on the company website or social media.
Impersonation of administrative assistants, who have authority to act on behalf of business owners.
Impersonation of human resource managers or business accountants, as these roles often are trusted to handle sensitive information about employees. Scammers may use the identity of these employees to trick other employees into divulging personal information,such as banking details, account information, contact details, schedules, tax file numbers.
Impersonation of general managers (or other employees in authority positions) may be used by scammers to engage new or entry-level employees to direct them to undertake certain tasks, such as purchasing gift cards with a promise of reimbursement.
Using an employee's identity to contact the business’s accountants and request to change the employees bank details to the scammers bank account to redirect payroll payments.
Impersonating employees to scam legitimate customers or third-party entities of the business through payment redirection scams, where scammers intercept a legitimate invoice being sent from a business and change the bank account details to their own before sending the email to the customer.
The impersonation of employees is usually conducted using an employee’s emailaddress. It commonly occurs by either:
Compromising the employee's account, where scammers are able to monitor emails on the account and send emails from the legitimate address.
Spoofing the employee’s email address, where the scammer has created a fraudulent email account with an address that looks similar to the legitimate one using a similar display or domain name (the text after the @ sign in the address such as @gmail.com). You can tell an impersonation email is from a spoofed address if there are any differences in the spelling of the address, it’s domain name, or the email provider used (e.g. Gmail, Hotmail, Outlook), when compared to the legitimate address.
Signs of Employee Impersonation
Employee impersonation attempts often share characteristic red flags, which can help equip employees to identify a deceptive communication. These shared characteristics include:
A sense of urgency: scammers will often put time pressure on the people they contact to minimise the possibility of them taking the time to verify the legitimacy of the communication.
Instruction to click a link: scam communications often emphasise the need to click on a link, as a means to gain sensitive information from the targeted victim.
Request for payment: scammers may request payment urgently, especially via physical gift cards oronline gift cards.
Inconsistent language: scammers impersonating employees may use language which is different from what would normally be expected of the employee.
There are multiple steps a business can take to help mitigate the risk of employee impersonation.
Train employees on identifying impersonation attempts: Entry-level or new employees are particularly vulnerable to employee impersonation via electronic communication (such as emails or messages) as they may be less likely to be able to verify the legitimacy of a message or email. A common impersonation scam involves criminals impersonating business owners or managers to ask entry-level employees to purchase gift-cards, send money, or reveal company passwords. Businesses should ensure that all employees receive adequate training on how to identify suspicious communications.
Enforce strict protocols for financial and information change requests: Scammers will often use employee impersonation to request money, or to request personal information to be changed – for instance, requesting that legitimate bank account details are changed to their details. Businesses should establish a strict protocol for such requests, adding a second step of independent verification before fulfilling the request. For instance, an email from an employee requesting payment should be verbally verified by calling the employee (using the phone number of the employee that is stored in their file, and not any phone numbers contained in the initial email).
Consider privacy protection: Scammers can use information openly available online to appear more credible if they impersonate a business. Employees should be careful posting information online that identifies their workplace, position, work email address, and personal email address – this can make them easier to impersonate.
Enforce multi-factor authentication (MFA): The use of MFA across a business should be mandatory. MFA adds a second verification step for online account access, following a user entering their login details. MFA methods include one-time passcodes sent to a trusted mobile phone number or email address, or the use of an authenticator app. MFA adds an extra layer of security that can help prevent a business’s account being compromised.
Educate clients: Remind customers that the business will only ask for payments to their legitimate bank account. Further, encourage customers to contact the business directly via the official contact number if they receive an invoice that contains different bank account details to any previous invoice. List the phone number on your business's official website and tell customers to not use links or contact details given in an invoice if it is suspicious.
If someone has sent an email impersonating an employee, determine whether the email came from the employee’s legitimate email address. If it was sent from the legitimate address, it is most likely that the employee’s email account has been compromised. However, if the scammer is using a fraudulent email address which looks similar to the legitimate one, it is likely the result of email spoofing.
1. Act quickly to contain the email account:
Log-off all machines and reset the account’s password.
Check the affected accounts for:
o Forwarding rules, and delete any you don’t recognise.
o Rules involving RSS Feeds.
o Changed account recovery settings, for example unknown phone numbers or email addresses you may not recognise. Cybercriminals can change recovery setting to allow them to regain access after the account password has been changed.
o Unrecognised email folders.
o Any unrecognised activity in the Sent and Deleted Items Folders, including in the Trash Can, to assess what actions the scammer has taken.
o Any third-party apps or services that have access to your account. Remove any that are linked to your account that you don’t recognise.
Implement multi-factor authentication on all user accounts. Majority of BEC attacks start with an account compromise, and the best way to protect against account compromise is to activate multi-factor authentication.
Signout your account from of all other devices and check your login activity to see if your account has been accessed from unusual locations or at unusual times.
2. Check all Network-Accessed Devices (storage devices) recovery settings, change the password, and implement multi-factor authentication if you have these.
3. Notify relevant contacts to minimise damage
Notify the relevant manager/s or team/s within your business who handle internal accounts receivable, accounts payable and payroll, and ensure all requests for hanges to invoices (payable and receivable) and payee account details are first verified with a follow-up phone call or in-person confirmation.
Contact your financial institution without delay and request the block or suspension ofany unauthorised payments. Your financial institution should then initiate an investigation and come back to you with information regarding the payment.
Notify other relevant contacts and third parties, such as customers, colleagues and suppliers, and advise them to be vigilant to any suspicious or fraudulent emails,such as those which refer to changing bank details, requests for payments, or unusual links or attachments. Confirm that any changes requested by your business must be further verified using an alternative channel of confirmation, such as calling your business’s number from its official website, and to not trust contact information or links in suspicious emails or invoices.
4. If the compromise has caused serious harm to your contacts
You may have further mandatory reporting requirements to your customers if they have experienced harm, as well as legal obligations to report a data breach.
If the scammer has gained unauthorised access to customer or employee personal information as a result of the compromise, it is advised you seek advice to determine whether the event is deemed to be a notifiable data breach.
For Australian businesses, seek advice from the Office of the AustralianInformation Commissioner (OAIC). For further details on the OAIC’s Notifiable Data Breaches scheme or to seek legal support regarding mandatory reporting obligations, please visit the OAIC website.
If you intend to notify impacted individuals from the compromise and would like support from IDCARE, please complete an organisation support services form on our website.
Where invoices have been paid by contacts to a fraudulent account, seek advice from the bank from which the money was sent in relation to responsibility, liability or funds recovery. You may also choose to seek legal advice or engage legal aid in your State/Territory for general advice.
5. Report the matter to law enforcement.
When you submit your report, you will receive a reference number which you should keep on record. The information in your report will be sent to the appropriate police jurisdiction for assessment, however, note that not all reports are investigated.
For Australians go to www.cyber.gov.au - ReportCyber is an online cybercrime reporting system operated by the Australian Cyber Security Centre.
1. Complete the first step in the previous checklist titled ‘Act quickly to contain the email account’
2. Protect your Domain
Contact the registrar of the fraudulent domain name and request it is taken down
o You can find out the registrar of the domain by performing a whois lookup for .au domains at whois.auda.org.au and for international domains at lookup.icann.org.
o The lookup results may list a Registrar Abuse Contact Email to send takedown requests to. If there is no abuse contact email provided, perform an internet search to find the registrar’s website and look for an abuse form or contact email there. Once you have the registrar’s contact details, send a takedown request.
o Include in your takedown request information about the fraudulent domain name and how it is similar to your own. You can do this by taking note of the Registrant, Registrant Name and Registrant ID (which is typically an Australian Business Number (ABN) or an Australian Company number (ACN) for domains ending in .au). This is helpful because often scammers will use your details for these fields when creating the domain to make it appear more legitimate.
Submit a complaint to the auDA for domains being used for impersonation.
o The au. Domain Authority (auDA) is the official Australian authority and regulatory body for the .au domain name, such as ones ending in com.au, net.au, org.au.
o You should submit a complaint to the auDA at auda.org.au if a scammer is using an Australian domain name which references your registered business name or is a misspelling of your domain name.
3. Contact the email provider of the fraudulent address
If the fraudulent email is using a common email provider (such as Outlook, Gmail, Hotmail) to impersonate the victim, you may be able to send an abuse report to the email service provider, where they may conduct an investigation or take action.
o For Gmail, submit an abuse report here.
o For Hotmail, Outlook, Live or MSN, report the email as an attachment to abuse@outlook.com
o For other email providers, access their official website for abuse reporting methods.
4. Report the matter to law enforcement. When you submit your report, you will receive a reference number which you should keep on record. The information in your report will be sent to the appropriate police jurisdiction for assessment, however, note that not all reports are investigated.
For Australians, go to www.cyber.gov.au - ReportCyber is an online cybercrime reporting system operated by the Australian Cyber Security Centre.
If you or a colleague has clicked on a link or downloaded an attachment sent from a fraudulent email impersonating an employee, your device may be infected with malware. Visit IDCARE’s Fact Sheet on Malware and Small Businesses.
Identity Care Australia & New Zealand Ltd (IDCARE) provides identity and cyber security incident response services (the Services) in accordance with the following disclaimer of service:
Mon - Fri: 8am - 5pm AEST
QLD: 07 3555 5900
ACT & NSW: 02 8999 3356
VIC: 03 7018 2366
NT, SA & WA : 08 7078 7741
Mon - Fri: 10am - 7pm NZST
AKL: 09 884 4440
IDCARE as a registered charity does not ask individuals to donate or pay for our front line services. We are not a charity that can receive tax deductible donations.
We rely on organisations that care enough about you to care about us to keep our charitable service going. Proudly these organisations are displayed above and on our Subscriber Organisations page.
If you are asked for payment from someone claiming to be from IDCARE, please report this to us using our Report Phishing email.
IDCARE has access to the Department of Home Affairs Free Interpreting Service, delivered by the Translating and Interpreting Service (TIS National). Access to the Free Interpreting Service is provided to assist you to communicate with non-English speaking people who hold a Medicare card. Please note that the service does not extend to New Zealand citizens or residents who do not hold an Australian Medicare card, or to tourists, overseas students or people on temporary work visas.
New Zealand Relay provides services to help Deaf, hearing impaired, speech impaired, Deafblind and standard phone users communicate with their peers.
A TTY user connects to New Zealand Relay via a toll-free number and types their conversation to a Relay Assistant (RA) who then reads out the typed message to a standard phone user (hearing person).
The RA relays the hearing person's spoken words by typing them back to the Textphone (TTY) User.
The National Relay Service (NRS) is an Australian government initiative that allows people who are deaf, hard of hearing and/or have a speech impairment to make and receive phone calls.
The NRS is available 24 hours a day, every day and relays more than a million calls each year throughout Australia.
ABN 84 164 038 966
IDCARE acknowledges and Respects the traditional custodians of the land on which we operate across Australia and New Zealand.
This website may contain names, images and voices of deceased Aboriginal, Torres Strait Islander and Māori peoples.
