EXCLUSIVE: Australia’s longest-running ice rink has lost more than $77,000 in an email scam that tricked a director into sending money to a cyber criminal’s bank account in Hungary.

Canterbury Olympic Ice Rink (COIR) in Sydney’s south west purchased a new ice resurfacer machine from UK-based company Marshall’s International.

Shortly thereafter, the not-for-profit co-op ice rink received a legitimate invoice from Marshall’s requesting the amount of $77,216.58 be deposited into its Barclay’s Bank UK bank account.

But before payment could made, a second email was received by the rink with an amended invoice.

Although written in broken English, the second invoice appeared to come from the same address as the original email requesting payment.

However, banking details were changed to a different account based in Hungary.

The name of the bank account was changed from Marshalls’ to GOROCS TEK KFT.

When COIR asked for documents to verify the change in account details, the cyber criminal threatened to delay delivery of the ice resurfacer and add extra fees.

A COIR director, whom Information Age has chosen not to name, then transferred the monies to the Hungarian bank account.

The scam was only realised a month-and-a-half later when Marshall’s contacted COIR to follow up on the missing payment.

The stolen funds were for the purchase of a new ice resurfacer, a vehicle that cleans and smooths the ice rink's surface. Photo: Facebook/COIR

Broken protocol

The COIR director who transferred the payment was in breach of the rink’s internal procedures which states authorisation to make payments requires sign-off by three directors.

However, the director argued he was authorised to make the payment “in principle” because the board had accepted the quote for the machine from Marshall’s.

To complicate matters, the director used a personal bank account to communicate with the cyber criminal instead of his co-op email account.

The board was not informed of any of the developments taking place.

COIR asked the director to supply the emails for investigation but the initial email from the cyber criminal had already been deleted.

The offending director was removed from office by a unanimous vote at a board meeting last month.

He was not present at the meeting.

Liability

Discussions over who is liable for the missing $77,216.58 are ongoing.

COIR believes Marshall’s is liable “as the fraud has arisen through a security breach of a Marshalls email account.”

The loss was not covered by the COIR’s insurance and none on the monies are expected to be recovered.

A report was submitted to the Australian Cyber Security Centre in December 2019.

In its 2019 Internet Crime Report, the Federal Bureau of Investigation (FBI) in the US – the agency responsible for investigating malicious cyber activity – revealed cyber crime cost businesses more than $US3.5 billion with business email compromise (BEC) and email account compromise (EAC) attacks accounting for half of this ($US1.77 billion).

Such scams involve emailing pretending to be a legitimate supplier, changing bank accounts on invoices, and having money deposited into the wrong bank account.

Crispin Kerr, country manager for enterprise security company Proofpoint, told Information Age BEC attacks are the most expensive problem in all of cybersecurity.

“Our research has shown that the frequency of email impersonation attacks continues to increase as the barrier to entry for cybercriminals is low," Kerr said.

“The fraudulent messages often pressure victims with an ‘urgent’ action that the bad actors can monetise such as a fraudulent transaction, wire transfer, or data transfer.

“Given the overall success rate and low cost of executing email fraud attacks, it is likely that organisations are only seeing the tip of the iceberg in terms of both direct and indirect damages resulting from these types of attacks, which continue to scale and evolve.”

What to look for

While incidents of BEC attacks are on the increase, there are steps businesses can take to minimise the chance of being scammed.

Aaron Bugal, global solutions engineer at security company Sophos, says when receiving an email requesting payment, properly check the email address – not just the name, but the domain it was sent from.

“Many cybercriminals will slightly tweak the email domain to make it look trustworthy and deceive the receiver, for example by changing an 'o' or 'l' to a '0' or '1'," Bugal said.

“If you do receive a 'revised' document, double check what has been revised.

“If it’s something sensitive like bank details, call the person or organisation to verify the change.

“If they confirm the revised version was sent, it’s safe to proceed.”

If you do get scammed, though, and realise quickly enough, your first call should be to your bank to request an immediate block of the payment.

“You should also advise the person or organisation you’re in contact with that their email has been compromised to make them aware of the situation,” Bugal added.

Canterbury Olympic Ice Rink is the trading name of the Ice Skating Club of New South Wales Co-Operative Ltd.

COIR and Marshall's International did not respond to a request for comment.