NSW Police have charged two men over their alleged involvement in a $2.6 million email scam syndicate.

The scam involved sending altered invoices to legitimate businesses which unwittingly paid the scammers who then transferred the money into their personal bank accounts.

Police conducted raids on two Sydney properties on Thursday morning where they seized computers, phones, drugs, $5,000 cash and another $12,400 in US cash.

One of the men, a 29-year-old arrested in Zetland, was believed by police to be the leader of the syndicate and faces charges related to directing a criminal group.

Police allege he gained more than $1.6 million, and tried to get nearly another $1 million, through email scams from mid-2018 until early this year.

The other man, a 30-year-old arrested in Roseberry, was arrested for handling the proceeds of crime, his involvement in the syndicate, and drugs charges.

Commander of the NSW Cybercrime Squad, Matthew Craft, said cybercrime presents “a unique challenge for law enforcement”.

“These arrests are a timely reminder for all individuals and businesses to have strong cyber security measures in place for protection,” Craft said.

“During this investigation, officers uncovered a criminal network targeting hard-working Australian businesses through a series of sophisticated email scams,” Det Supt Craft said.

“Police will allege the [email scam] group stole money from a range of businesses including those in property development, finance, construction and other trades.

“Victims of cybercrime offences are not limited by state and territory borders and police will allege this syndicate targeted companies right across the country.”

Detectives arrest one of the men involved in the email scam syndicate. Source: NSW Police

Police charged three other people last year in relation to the same investigation.

NSW Police also arrested a man in February over an alleged $11 million online identity fraud scheme.

Business email compromise scams

Business email compromise (BEC) scams – where finance staff are deceived into paying fake invoices –are becoming increasingly common.

In 2018 alone, it was estimated that Australian businesses lost more than $60 million from this type of scam.

An ice rink in Sydney’s South West fell victim to a BEC scam earlier this year after receiving changed payment details for a new ice resurfacer it was purchasing.

The ice rink ended up losing $77,000 into an unknown Hungarian bank account.

Currently, the COVID-19 outbreak is creating a new set of challenges for businesses trying to shore up their cyber defences.

There has been a notable rise in the number of coronavirus-related scams in recent weeks.

Malicious actors were quick to restructure their attacks once COVID-19 began spreading across the globe by using coronavirus keywords to deliver payloads and gain access to networks.

And with many Australian businesses trying to operate remotely to help encourage social distancing, networks could be more vulnerable as they are spread away from centralised IT systems.

The Australian Cyber Security Centre has a list of strategies to mitigate the effects of cyber attacks during the COVID-19 outbreak including:

  • Keeping VPNs and firewalls updated
  • Securing remote desktop environments
  • Using multi-factor authentication
  • And educating staff in cyber security

If you believe you have spotted a scam, you can report it to Scamwatch.