Paying online? Make sure you check these 3 red flags

A man holding a credit card and a mobile phone.

Online payments are a modern miracle. Gone are the days where you’d have to worry about getting your weekly takings to the bank, or making that dreaded trek from the car park to the entrance while clutching an envelope of cash. Thanks to eBanking and online invoicing, you can make payments from the comfort and safety of your desk without having to look over your shoulder.

Not only do we have access to a world of convenience in handling business finances, but in our home life and general shopping as well. Coles can deliver directly to your doorstep, video stores have been replaced with streaming services like Netflix and Stan, and you can buy virtually anything under the sun from online marketplaces like Amazon or the websites of your favourite local makers. Even if you aren’t a business owner, you’ve likely handled more than a few digital invoices or subscription fees. Whether you’re shopping, selling, or just sorting accounts, the widespread modernisation of online transactions have made them into a critical tool in not only expanding your reach but also maximising your time & resources.

That being said, it’s easy to forget just how vulnerable you and your clients are to theft with each purchase. It’s convenient that you don’t need to go to the bank or store to make a payment, but it’s just as convenient for attackers. Thanks to digital transactions, a robber doesn’t even need to leave their home to rob you! The same online tools that make spending easier, make theft easier.

All it takes is one small slip-up on the payer’s end for them to be passively hijacked in an act of cyber-theft. When this happens, not only are you losing the amount of the payment that’s been compromised, but you’re also risking much larger losses to the accounts being used for payment.

Am I about to pay a fake invoice?

One of the most common mistakes when paying an invoice is to believe that the invoice is real in the first place.

The ACCC's Scamwatch project states Australian losses of over $4.1 million in 2018 due to fake invoice scams, and those are the figures of those who reported their losses alone.

Consider the following email scenario. A supplier has emailed you saying that you’ve missed a payment, and has provided an attachment with some bank details for you to pay with. See below.

Mock email from 'The Phreshwater Guys' illustrating a possible scam email requesting payment. The sender’s name is misspelt.

Seems legit, right? Dave’s kept your office hydrated for years, he always offers good banter and you have a good business relationship. You trust him, but that doesn’t mean you can trust his emails.

This email is out of Dave’s ordinary invoicing process, which automatically raises valid suspicion. It could be legitimate, but there is absolutely no reason to trust it so far. You could check the sending email to confirm that it is Dave’s, but that wouldn’t account for if an attacker has spoofed Dave’s address, or intercepted a real invoice.

By paying the invoice here, you could very easily be not only sending your funds to a hacker pretending to be Dave, but also providing said hacker with your payment information for further attacks and damages.

No matter how trusted this invoice appears to be, the only way to be completely safe is to call the company that’s sent you the reminder and verify the invoice with them before proceeding.  Don’t call the number provided in the email, but rather use a personal contact or the one on their website. In said call, quote the account or BPAY details provided in the invoice so you can make sure it is 100% real.

Is my connection private?

A private Wi-Fi network refers typically to your home or office internet, and is generally safer than the alternative; public Wi-Fi.

Public Wi-Fi is any Wi-Fi connection you can use at a cafe, library, public transport hotspot or in other public areas. The problem with public Wi-Fi is that everybody knows the password to get in, meaning hackers can very easily monitor the activities of you and everyone else on the Wi-Fi network.

Any transaction you make on public Wi-Fi is passing through that network and completely interceptable by any attackers on the network.

Public Wi-Fi should only be used for soft browsing or in the case of emergencies, and should never be used to handle card or bank details. If for any reason you find yourself in a situation where you must use public Wi-Fi, here are some quick tips that will improve your safety:

  • Only use banking or payment-portals that use two-factor authentication: In our recent STOP article we covered the major benefits of utilising Two-Factor authentication as a business. When you’re on public Wi-Fi accessing either your systems or an account with another business, using Two-Factor means that any hackers on the network will need more than just your password for a later attack.
  • Reset the passwords for all accounts you logged in to: Regardless of whether you were using Two-Factor, there’s a good chance that you’ve compromised the passwords of any accounts/services you used while on public Wi-Fi. The solution? Once you’re no longer using the public Wi-Fi network, change all of these passwords (starting with your email accounts) so you can recover your details from potential attackers.
  • If you have an IT team or IT provider, ask them to set up a VPN for you: We won’t get into too much detail on the technicalities of a VPN here, but in short it stands for “Virtual Private Network,” and essentially means that you’re in your own private working space even when you’re on public Wi-Fi. If you have the resources to get this set up, it’s the best way to improve your safety on any network.

Finally, regardless of whether you’re the payment you’re making is on public Wi-Fi, you need to be asking yourself this last key question:

Is this payment portal safe? (Does it have HTTPS?)

If a website is asking for personal information or a card payment, it absolutely must be secure with HTTPS.

To check this, look at the URL of the website. This can be found in the address bar at the top of your browser. If it begins with https://, this means that the page is secured using an SSL certificate.

If it begins with only http:// or anything else, this means that you are open to potential intruders tampering with the communications between yourself and the website. Without https the website is insecure, meaning any card or personal information handed to the website can be intercepted and stolen.

It’s a small but critical difference between https and http, and that small difference in the missing “s” is where most people get caught. Before making a payment or providing personal information via any website, you need to make sure that:

  • The website reads HTTPS at the start of the address
  • There is a padlock on the left-most side of the address bar.

If either of these are missing, the website is both unsafe and unsuitable for handling any kind of payment.

An image showing a PayPal login screen. An red arrow with the text ‘Unsafe’ points to the website address which shows an http prefix and an unusual version of the PayPal URL.

At the end of the day, the best way to keep your funds safe is to be aware. Always ask yourself these 3 key questions before clicking “confirm purchase” and you’ll stand a much better chance of keeping your money out of the wrong hands. See below for a quick reference of those 3 key questions:

  • Am I about to pay a fake invoice?
  • Is my connection private?
  • Is this payment portal safe? (Does it have HTTPS?)

Keep these at hand and in mind whenever you make a payment. For more information about safe browsing and common payment scams, visit the Cyber Aware website or find cybersecurity resources on the Business Victoria website.