What to do if your business has been scammed

If you believe your business has been scammed, the steps below can help you to limit the impact. Know you can recover and there is support available, if and when you need it.

Key points:

Act quickly to protect your business, customers and suppliers.
Take steps to minimise the damage from a scam and assist your business’ ongoing recovery.
Support is available.

Act fast

If you think your business has been scammed, take these steps fast:

If you have sent money, do not send any more

Block all contact from the scammer.

Report the scam to your bank or financial institution

Ask them to stop any transactions.

Report the scam

Alert Scamwatch, including impersonations of your business, to help stop the scam and protect others.

Warn your contacts

Warn staff, clients and suppliers to help them look out for suspicious activity, such as requests to change bank details or for large transfers.

Report cybercrime

Alert ReportCyber – your report will go directly to the relevant police jurisdiction, helping to disrupt crime operations.

Contact the Australian Taxation Office (ATO)

Let the ATO know if you know or suspect someone has stolen confidential taxpayer information, which may include employee tax information and banking details.

Be wary of follow-up scams

Especially scams promising to help get your money back.

Contact IDCARE

IDCARE can help you make a plan (free for sole traders and small businesses) to limit the damage.

Consider whether a reportable situation has arisen

For Australian financial services licensees and Australian credit licensees, consider whether a scam impacting your business has given rise to a reportable situation that you are required to report to ASIC.

For more information about reportable situations, see: Reportable situations for AFS and credit licensees.

If you are a licensee regulated by APRA, you may also comply with your obligation to report a reportable situation by lodging a report with APRA – see Regulatory Guide 78 Breach reporting by AFS licensees and credit licensees (RG 78).

Ransom requests

If a scammer asks you to pay a ransom, never do so. There is no guarantee you will regain access to your information, nor prevent it from being sold or leaked online. You may also be targeted by another attack.

Call the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC) 24/7 Hotline on 1300 CYBER1 (1300 292 371) if you need cyber security assistance. You can find out more information about ransomware from the ASD’s ACSC: Ransomware.

Steps to mitigate and recover from a scam

Escalating the report made to your bank

If you're not happy with how your bank or financial institution responds to your report, you can make a complaint to them. If you are a small business or sole trader and not happy with the response to your complaint, you can then complain externally to the Australian Financial Complaints Authority (AFCA), a free and independent dispute resolution service.

For more information, visit AFCA’s website: How AFCA can help small businesses and sole traders.

In addition, you can lodge a complaint about a bank that you are not a customer of if the complaint is about the bank’s actions in receiving your funds as part of a scam or about opening an account or credit facility in your name without your consent or authority (and also meets AFCA’s complaints eligibility criteria). For more information about AFCA’s jurisdiction for handling such complaints, visit Factsheet – Receiving banks and unauthorised opening of accounts (AFCA).

Warn your contacts

Warn your customers and suppliers about a scam impacting your business as soon as practicable. The warning should be prominent across all your online channels, including your website, app and social media accounts, with images of the scam emblazoned with the word FAKE or SCAM to help consumers recognise scam material. Include links to trusted websites which can provide further support and guidance, such as:

What to do if you've been scammed (Moneysmart)
Report an investment scam (Moneysmart)

If you became aware that any customers may be or have been personally targeted by a scam, contact them directly using verified communication channels.

Unauthorised access or disclosure of personal information

If a scam incident has caused unauthorised access or disclosure of personal information that is likely to result in serious harm, you may have further mandatory reporting requirements as well as legal obligations to report a data breach to the Office of the Australian Information Commissioner (OAIC).

Seek legal advice regarding reporting obligations and review information provided by the OAIC about Notifiable Data Breaches: Notifiable data breaches.

After a scam incident you should check your account security to identify intruders and ensure control over your accounts – if you suspect or identify any accounts that have been compromised:

Change your password and consider use of a password manager, in line with guidance provided by the ASD’s ACSC: Password managers.
Enable multi-factor authentication, also as advised by the ASD’s ACSC: Multi-factor authentication.
Review and update your account recovery details in case scammers have changed these to regain access to your accounts in future.
Sign out of all other sessions and devices – depending on the type of service you are recovering, you may have an option to sign out or delete saved login details from other devices.
Review third party access to see if there are any third party apps or services that have access to your account that you don’t recognise, and delete this if so.
Review access to your systems to restrict administrative privileges and staff access to only what they need to do their job, as both advised by the ASD’s ACSC: Restricting administrative privileges and Malicious insiders.
Review account settings and rules in case scammers have set up rules to forward emails or calls made to your business – delete any forwarding rules you don’t recognise.
Secure your electronic information as recommended by the Australian Taxation Office (ATO): Security advice for tax professionals and businesses.
Review past activity such as transactions on your bank accounts and emails in your sent and deleted folders to see what actions scammers may have taken.
Review login activity regularly to see if your account is being accessed by unusual devices, at suspicious times or from strange locations.

More information on how to recover from business email compromise is provided by the ASD’s ACSC: Report and recover from business email compromise.

Online impersonation scams

If a scammer is impersonating your business online, request the takedown of the scammer’s domain name, email address or social media profiles. Document the scam, including the website URL/email address/social media handle, the date when it was first discovered and screenshots, to assist with reporting it.

Report the online impersonation scam to Scamwatch. With your consent, the report may be shared with organisations to action scam minimisation practices, such as the removal of scam websites and online scam ads.

You can also report the online impersonation to the source or platform where you saw it.

You can use a WHOIS search via whois.auda.org.au for .au websites or otherwise via lookup.icann.org to find out who the registrar of the domain name is. The search results may also include a Registrar Abuse Contact Email to whom a takedown request can be directly sent. If no abuse contact email is noted, search online to find the registrar’s website and look for an abuse form or contact email.

Take note of the Registrant, Registrant ID and Registrant Name if included in the WHOIS search results to note these in your takedown request, along with information about the scammer’s domain name and how it is being used.

If the scam domain name ends in .au, you can lodge a complaint with .au Domain Administration (auDA): .au complaints.

If a scammer is using a common email provider to impersonate your business, search online to find out how to send an abuse report to the email service provider.

The ASD’s ACSC also provides information on how to Review your email account security.

If the impersonation website appears in search results, also consider reporting it to digital platforms, including:

Google: Report a Page to Google Safe Browsing
Microsoft: Report an unsafe site

Social media impersonation scams

If a scammer is using social media to impersonate your business, report their profile or page to the respective digital platform. The eSafety Commissioner provides information on how to report harmful content on common social media platforms: The eSafety Guide.

Support is available

Experiencing a scam can be very distressing. Support is available. If you need someone to talk to (24 hours a day, 7 days a week) contact:

Lifeline — 13 11 14 or the online Crisis Support Chat.
Beyond Blue — 1300 22 4636 or Beyond Blue website.

Scamwatch also has resources on how to help someone who’s being scammed.

Disclaimer

The information above does not constitute legal advice and does not in any way obviate or derogate from any statutory legal obligations you have to detect, minimise and prevent scams affecting your consumers and business. The primary responsibility for legal obligations in this regard still remain with your business. We encourage you to seek your own professional advice to find out how the Corporations Act 2001 (Cth) and other applicable laws apply to you, as it is your responsibility to determine your obligations.