How scammers duped a woman into handing over $75,000

Recent reports of invoice fraud involving one of the world's biggest companies Tesla are a reminder that even basic measures can help slow the rise of such scams.

Invoice scamming involves cybercriminals impersonating businesses, intercepting emailed invoices, changing bank account details and then robbing the invoice amounts from unsuspecting customers. Payments are sent to a fraudulent account.

But good payment practises by businesses and banks can help to avoid such outcomes. Tesla has been urged to review its payment practices in Australia after two local car buyers reportedly lost thousands to invoice scammers.

One customer in Perth was reportedly sent an email by Tesla with an invoice for around $75,000 for the purchase of a Tesla Model 3. That invoice was then intercepted by hackers and the bank details changed. The customer unknowingly paid the money to a fraudulent bank account listed on the invoice. The same happened to another customer in Sydney last December.

This is not the first time this has happened to Tesla. In 2019, a similar incident was reported in the UK, where one buyer said Tesla sent out unsecured payment requests via email that was intercepted by scammers. Tesla's bank details were changed, and the buyer paid £9250 to a scammer's account.

Tesla customers are not the only victims. Invoice scamming is becoming more common.  Last year, a Melbourne concreting company invoiced a building company for $51,000. On receiving the invoice, the builder paid that amount into what he thought was the concreting company's invoice. Instead, it went to a scammer's bank account, who had altered the banking details on the PDF invoice.

While we can't be sure how these scams happened, it is possible that the perpetrators downloaded the original emails from the recipients' mailboxes, before generating and sending duplicate invoices with fraudulent bank account details.

What is clear is that such scams will continue to happen if businesses send invoices via email with bank account details. All businesses need to stop and ask if they are adopting best practise measures to avoid invoice scamming, and customers must be extremely wary of transferring large amounts of money to bank accounts listed on emailed invoices.

Tesla's head Elon Musk has said that Bitcoin payments are now available to customers in the US, and the company will reportedly make available Bitcoin payments to customers in Australia later this year, which will likely introduce fresh opportunities for criminals to commit fraud.  Bitcoin transactions offer no mechanism to verify where the payment is going and payments can potentially be untraceable once made.  With no regulating body and Bitcoin addresses being complex sequences of seemingly random characters, taking payments using crypto-currency is likely to only make the problem worse.

As a minimum, vendors should stop sending invoices to customers with bank details disclosed.  Organisations should instead set up secure online payments systems that have been tested fully for vulnerabilities to fraud. Moreover, if businesses can accept payments through a secure online service, then sticking with that system and not offering customers the option to pay directly to a bank account listed on an emailed invoice would be a safer practice.

Where bank account transfers are still a necessity, banks could display the recipient account name prior to making a transfer.  This is partly implemented with the payee typically seeing the destination bank so it wouldn't be too hard to extend this to display the recipient account name to provide reassurance to the payee that their money is going where they were expecting.

This would mirror the PayID approach - although the banks would need to carefully implement this solution to ensure they don't repeat what happened in 2019 where thousands of account names were matched with email addresses/phone numbers were obtained after criminals used several online bank accounts to carry out more than 600,000 lookups over the course of six weeks, reportedly by simply entering phone numbers in sequential order.

Using PayID is a possible solution for businesses. A PayID is a unique identifier such as your mobile number or email address, that you can link to your bank account to make and receive payments. However, if someone sets up a fake account with a meaningful name, for example, 'Tesla EV Australia' when that name appeared in the PayID verification, a user could still be lured into making a payment to a scammer.

But, it does place an additional hurdle that may deter some fraudsters. Invoice scamming involving altering a PayID is less likely than invoice scamming via emailed invoices as the PayID process displays the 'name' of the account holder to the payee.  As banks do have ID checks for business accounts (typically involving an ABN), it could be worthwhile for businesses to insist on customer payments using PayIDs to provide reassurance for consumers.

PayID is, of course, not the only solution to avoiding invoice fraud. However, PayID is currently opt-in only and businesses must register for the service. Until PayID is universal for everyone, both businesses and consumers, the banks are not likely to insist on PayID payments only.  Mandated PayID would also require everyone to have either an email or mobile number - we still circulate cash in large quantities and have physical statements emailed out, we're not ready for that just yet! So for now, businesses need to implement secure and robust online payments platforms. Eliminate the emailing of invoices is a first step.

And for customers who cannot avoid transferring large amounts direct to a bank account, it would be worthwhile ringing up the payments department to verify bank account details first.

Get stories like this in our newsletters.