A CarExpert reader who is currently in the process of buying a Toyota LandCruiser 300 Series in New South Wales claims they were scammed of $100,000.
The reader received an email in early December 2023 they mistakenly believed to be from a Cardiff Toyota staff member with fraudulent BSB and account numbers attached to it requesting the payment of $100,000.
They transferred the $100,000 in three separate payments to that fraud account, only to discover it wasn’t the dealer’s – at which point the reader claims Cardiff Toyota suggested his emails may have been hacked.
Scammers recently defrauded Mercedes-Benz Australia customers of more than $270,000 by intercepting email invoices and changing their BSB and account details, in what appears to be the same way.
UPDATE, 10:45am 10/01/2024 – We’ve updated the opening of the story to make clearer the fact the dealer wasn’t involved in the alleged scam, and added detail about similar scams hitting buyers of other brands.
In both cases, it’s not alleged there was a vulnerability at the carmaker or dealership’s end – rather, that the hackers exploited a vulnerability with buyers.
“We are advised that this customer has regrettably been the victim of an alleged cyber crime involving a phishing email that contained fake bank account details,” said a Toyota Australia spokesperson.
“The dealership has subsequently provided the customer with support, going above and beyond despite no involvement in the incident.
“We encourage our customers and the wider community to learn how to recognise and protect themselves from increasingly sophisticated scams.”
Although Cardiff Toyota is technically part of the Eagers Automotive dealer group which was recently part of a cyber attack, the Toyota Australia spokesperson said they “understand that this was a one-off situation against an individual customer”.
It’s understood the reader was the victim of a business email compromise scam, and they aren’t unique to the automotive industry.
“We’re seeing a growing number of scams featuring business email compromise (BEC) where scammers hack into email accounts and change the payment details on invoices, or request payments to new accounts,” said NAB head of fraud operations Adrian Epifano.
“Our team will always do whatever it can to get stolen money back. However, in a lot of instances, this can be extremely difficult, given the sophistication of scams and the speed at which funds are moved.
“In most cases, scammed funds are moved overseas within hours.
“In relation to this matter, the customer made several payments from December 5 and notified NAB of the suspected scam on December 7.
“Once we were advised of the scam, NAB acted quickly to put the relevant account blocks in place and try to recover funds. We have recovered approximately $43,000.
“We need to keep working as a bank, industry and nation to stop the crime before it happens. These criminals are often transnational, organised crime gangs that are operating these scams like a business. They are the same people who traffic drugs and engage in serious crime.
“NAB has a comprehensive, bank-wide strategy to improve our response to the scam epidemic targeting Australians.
“Stopping the use of links in unexpected text messages, introducing payment prompts to digital banking and blocking some payments to high-risk cryptocurrency exchanges are among recent measures introduced.
“We encourage everyone to remain vigilant. Anyone who believes they have been the victim of a scam should contact their bank immediately.”
The Australian Competition and Consumer Commission (ACCC) told 7News that between January 1, 2023 and September 30, 2023, Scamwatch received 981 business email compromise scam reports which totalled losses of around $13 million.
Customers who are paying invoices online are encouraged to confirm any online bank details either in person or over another method of communication before making payment.
As recently reported, a number of Mercedes-Benz customers in Victoria were among the latest to fall victim to business email compromise scams.
In 2021, two Tesla buyers were scammed in similar circumstances which saw almost $75,000 transferred to the incorrect bank account.