Sabrina works as a receptionist for a small conveyancing business called “Saffron Conveyancing”. The business is owned by Gary, who employs four staff members (including Sabrina) and leases a small office space in the city.
Saffron Conveyancing has five email accounts—one for each staff member (e.g. email@example.com), and a generic firstname.lastname@example.org account that is managed by Sabrina.
This reception account receives customer enquiries and is the main point of contact for the business.
While Gary was away on annual leave, he sent an email to the reception email address advising that he had just changed banks. The email included the new bank account details and asked if it could be updated for the next pay cycle, which was in a few days’ time.
Sabrina provided the new details to her colleague who was responsible for payroll and asked them to update Gary’s banking details as soon as possible.
A week later, Gary had returned to work and asked his staff why his payslip hadn’t been sent out. When they realised Gary was the only one who hadn’t been paid, the staff member responsible for payroll mentioned that it might be an issue with his new bank.
This took Gary by surprise as he didn’t have a new bank. Sabrina showed him the email, which Gary had no recollection of.
On closer inspection Sabrina noticed a spelling error in the email address:
- Legitimate email address: email@example.com
- Impersonated email address: firstname.lastname@example.org
Gary immediately contacted Saffron Conveyancing’s bank but it was too late, the funds had already been transferred to the fraudulent account.
To limit the damage Sabrina followed these steps:
- She outlined the situation and submitted a report to the police through ReportCyber on cyber.gov.au
- She included the steps they had taken so far, as well as a plan for other actions they were about to take.
- All staff members reviewed the security settings on their email accounts in case a cybercriminal had gained access and was spying on their emails.
- Saffron Conveyancing then notified all of their clients and contacts that a malicious actor was impersonating their business.
- They advised that the malicious actor may be targeting the contacts with financial scams and warned everyone to be aware of suspicious emails that appear to be from Saffron Conveyancing.
- They looked up the registrar of the fraudulent saffronconveyacning.com.au domain name and sent them a takedown request to shut down the domain.
- Finally, they also sent an official complaint to auDA.
Following the incident, Gary decided to introduce a new policy for his business. Whenever someone receives an email request to change bank details for staff or clients, they must ring the sender of the email using a phone number they know to be correct to confirm that the request is legitimate.
Additionally, Gary sought advice from the ACSC’s Small Business Cyber Security Guide and rolled out cyber security awareness training to his employees.
While the money they had already lost could not be recovered, the malicious saffronconveyancing.com.au domain name was successfully shut down before further harm could be done.
After notifying everybody about the impersonation, a few contacts advised that they had received suspicious emails, but since then there were no additional reports.
Thanks to Saffron Conveyancing’s quick actions, there were no further victims of this cybercrime.