False billing scams were the most common scam reported by small businesses, with this scam making up three quarters of all losses to businesses.
But it was a specific type of fake billing scam, called payment redirection scams or business email compromise scams, that hit small businesses hardest.
In these scams, the cyber-criminal will pretend to be a business or an employee and request an upcoming payment to be directed to a fraudulent bank account.
These scams have resulted in $14 million in losses and reported by 1,300 businesses.
The damage of this type of scam has nearly tripled since 2019, where only 900 businesses reported it and losses were at $5 million at the time.
“One thing we know about scammers is that they will take advantage of a crisis,” said ACCC deputy chair Mick Keogh.
In one instance, online criminals targeted farmers wanting good deals on tractors and farm machinery and advertised equipment at very low prices but advised farmers they could not see the machinery before purchasing because of COVID restrictions.
In total, farmers fooled by the scams paid a total of $1.1 million for the fake equipment that never existed.
Health and medical businesses were also popular targets of scammers, with these businesses fleeced $3.9 million as they bought what they thought was personal protective equipment.
Victorians were hardest-hit by scammers in 2020, having undergone several lockdowns over the year.
Scammers also fleeced people out of their funds by pretending to be from apps and organisations like Tinder and the Australian Taxation Office.
What should I do if I’m the victim of an email scam?
If you’ve been hit by a fraudulent email, the most important thing to do is protect your identity.
Scamwatch also advises Australians to let your bank and financial institution know immediately if you think you’ve provided your details to a scammer.
Additionally, update all your technology software to the latest version.
How can you get the money back?
Your first point of contact should be your bank: the Australian Cyber Security Centre states that most banks will cover losses if someone makes unauthorised transactions in your account, “as long as you have protected your client number and passwords”.
The sooner you let your bank know, the better, according to the government’s MoneySmart platform.
You are likely to get your money back if it is still in the recipient's account and if you report it to your bank within 10 business days, after 10 business days (but it will take longer to get your money back), [or] after seven months (if the recipient agrees to the refund).”