Accounts Payable Security Report: September 2021
Each month, the team at eftsure monitors the headlines for the latest Accounts Payable security news. We bring you all the essential learnings, so your Accounts Payable team can stay secure.
BEC Attacks Target Property Sector
The Australian Cyber Security Centre (ASCS) is warning the real estate and property sectors that they are being specifically targeted by criminal syndicates engaging in Business Email Compromise (BEC) attacks.
Reports from numerous victims indicate that the cyber criminals behind these scams are seeking to impersonate parties to a property transaction, such as real estate agents, conveyancers or mortgage lenders by inserting illegitimate bank details into settlement or rental documentation.
Victims assume this request is legitimate and unknowingly send payments to a bank account controlled by the criminals. Successful BEC attacks can go unnoticed for weeks until the legitimate recipients follow up on a missing payment. However, by that time, the money has usually been transferred to offshore bank accounts and it is too late to recover the stolen funds.
The ACSC warns that cyber criminals are able to send fraudulent emails as a result of three main tactics:
- Hacking into legitimate email accounts.
- Spoofing domain names by registering a domain that is similar to a legitimate company’s domain (typically by swapping letters or adding additional characters).
- Creating email addresses with Gmail, Yahoo or Outlook that use the legitimate business name. At a quick glance, an email address may look legitimate, even though it is actually being operated by a criminal.
Any property settlement agent or lawyers should act with extreme caution when updating bank account details, particularly before updating Property Exchange Australia (PEXA), the online service that deals with property transactions. There is a strong risk that incorrect banking details in PEXA will result in a property buyer sending funds to a criminal’s bank account when settling on a property. Such funds may not be recoverable.
To mitigate this risk, the ACSC urges all those in the property sector to carefully verify all payment details whenever a party to a transaction requests to update their banking details. Particular vigilance is required if such requests are made via email and are received during the settlement period.
Police Advocate Two-Step Verification
On 24 August, NSW Cybercrime Squad charged a 42-year-old woman over her alleged involvement in a $53,000 email scam.
In April this year, police were notified that funds intended to be used for the purchase of a vehicle had been erroneously sent to an incorrect bank account. The bank account details had been sourced from an email. Following investigations, it was revealed that the email had been manipulated by criminals.
She was charged with recklessly dealing with the proceeds of crime and dishonestly obtaining financial advantage by deception. Police allege the woman used the funds to purchase gold bullion and other items, presumably in an attempt to mask the source of the funds.
Police are urging all members of the community to adopt two-step verification methods whenever transferring funds. This is critical to ensure the payment details you are using are accurate and have not been tampered with.
Call-Back Controls Are Not Enough
Whilst research shows that the majority of BEC scammers are located overseas, particularly in West Africa, conducting successful attacks in countries such as Australia usually requires onshore accomplices.
Most attention has focused on the role of Money Mules in carrying out BEC attacks. In exchange for a commission, a Money Mule allows their local bank account to be used to receive stolen funds before the money is transferred to the offshore criminals.
However, another way in which locals can help facilitate global fraud syndicates is by acting as the scammer’s mouthpiece.
Reports indicate fraudsters are using online forums to recruit native English-speakers. This is essential as often an Accounts Payable team will have call-back controls in place whenever a supplier requests that their bank account details be updated. The foreign criminals can manipulate bank account details and phone numbers in invoices, however when the AP clerk calls to verify the new bank details, their suspicions are likely to be aroused if they end up speaking to someone with a Nigerian accent.
The native English-speakers are also being used to draft email communications that scammers send to their target victims, ensuring that the language is grammatically correct.
The lesson for any Accounts Payable team is clear – just because you communicate with someone possessing an Australian accent when conducting a call-back, do not assume that they are not a front for foreign criminals. Call-back controls, though important, are not sufficient to ensure you are not the victim of a BEC scam. Additional verification is required to guarantee secure payments.
Students Targeted to Become Money Mules
Reports indicate that a Nigeria-based criminal group is posing as a consulting company in order to lure university students with work-from-home job offers via phishing emails. The work would require the students to cash cheques in exchange for a commission.
According to Mimecast researchers, this attack comprises two-parts. Firstly, the scammers compromise student email accounts through phishing attacks. Secondly, they email the job offer to the compromised student’s address book, which could include friends, professors, or other staff at the university.
Because the recipients of the emails see that the sender is a contact of theirs from the same university, they are more likely to open and engage with the email.
The job-offer emails contain a link to a Google Form, which they need to complete as part of the application process. The recipient is asked to fill out personal information, including an alternative, non-academic email address. This gives the scammers access to other targets outside the university.
Many of those who apply for these jobs may be unaware that they are being used as Money Mules and are facilitating criminal syndicates. This could result in the student being charged as an accomplice to the crime.
It is critical that if an unknown party asks you to receive funds on their behalf, that you act with extreme caution. Whilst this may seem like an innocent act, it can result in you unknowingly aiding and abetting a crime, which has significant legal consequences.