Accounts Payable Security Report: April 2022

Money Mules Becoming More Active

The Australian Federal Police (AFP) is warning that money mules are becoming increasingly active now that Australia’s borders have reopened following COVID-19 related disruptions to international air travel.

The AFP is warning members of the public to remain vigilant and to be on the lookout for evidence of any indications of potential criminal activity.

Money mules play a critical role in the execution of many fraud and scams, such as Business Email Compromise (BEC). When international criminal syndicates deceive an organisation into paying an invoice into a false bank account, that false bank account is usually controlled by an Australian-based money mule. In exchange for a small portion of the stolen funds, the money mule then transfers the proceeds of crime to various offshore bank accounts, making it all but impossible for local law enforcement to retrieve the funds.

Many of the money mules recruited by criminal syndicates are foreigners who are in Australia for limited periods of time, such as international students or non-permanent residents, prompting the AFP’s heightened concern about a potential increase in fraud. Due to the critical role money mules play in facilitating BEC attacks, any increase in money mule activity would also indicate a potential spike in BEC attacks. Organisations should ensure they have appropriate risk mitigation strategies in place to protect themselves from this increasingly common attack vector.

Hybrid Work Increases Risk of Errors

A new report underscores the risks associated with hybrid work, particularly around Business Email Compromise (BEC) and phishing.

“Psychology of human error 2002” by Tessian found that BEC rates had increased since staff in many organisations transitioned to hybrid working arrangements. This rise in BEC growth rates was closely correlated with an uptick in attempted phishing. The report found more than half of employees (52%) fell for a phishing email in which a cyber-criminal impersonated a senior executive, such as the CEO or CFO, in an attempt to deceive staff into making false payments. This figure is up from 41% in the previous year.

A key driver of this security deterioration is hybrid, or remote, working arrangements. This approach to working seems to cause stress in Accounts Payable teams and affects people’s cognitive loads. This has resulted in a higher percentage of people making mistakes that compromise company security.

At the same time, phishing emails have become harder to detect as cyber-criminals have become increasingly sophisticated. Attackers are also timing their email sends during the afternoon slump, between 2pm and 6pm, when people are more likely to be tired or distracted.

The challenge for any organisation is how to maintain rigorous payment security controls whilst your staff work remotely. The key is to have a multi-layered security approach that includes ongoing staff training, comprehensive policies, and technology, like Eftsure, that prevents inevitable human error costing you dearly.

BEC Costs Exceed All Other Cyber Crimes

Business Email Compromise (BEC) costs organisations more than any other type of cyber incident according to the latest Internet Crime Report, published in the United States by the FBI.

In 2021, the FBI’s Internet Crime Complaint Centre, known as IC3, received 19,954 BEC complaints, resulting in losses of almost $2.4 billion. By contrast, there were only 3,729 reported ransomware incidents, costing just over $49 million.

Even accounting for underreporting of ransomware, it is clear the cost of BEC is staggering.

BEC is an attack vector that receives much less public exposure than ransomware, yet in many respects represents a greater threat. Organisations are much more likely to experience a BEC attack that results in substantial losses.

Meanwhile, the losses incurred from BEC continue to rise each year:

• 2019: $1.77 billion
• 2020: $1.86 billion
• 2021: $2.39 billion

The report also finds that Australia ranks fifth in the world in terms of number of victims of cyber-crime. Australia has more cyber-crime victims than many larger first-world countries, including France, Germany and Japan.

The message coming out of this landmark report is clear – all organisations must take seriously the risk posed by BEC. Failing to do so will likely result in substantial losses that could irreparably damage your organisation.

BEC Scammers Nabbed

In a rare win against the global criminal syndicates behind Business Email Compromise (BEC) attacks, 65 alleged scammers have been apprehended in the United States, Nigeria, South Africa, Canada, and Cambodia.

The FBI led a coalition of law enforcement agencies, in an operation known as Eagle Sweep, from a variety of countries to track down and arrest the suspects.

It is believed those nabbed were responsible for at least 500 separate attacks, resulting in over $51 million being stolen from unsuspecting victims.

However, it should be remembered that these arrests are just the tip of the iceberg. With BEC rates escalating exponentially, law enforcement agencies face an enormous challenge when it comes to identifying and tracking down those perpetrating these crimes.

Organisations must prioritise prevention, and not rely on the prospect of cyber-criminals being caught. This was the core message conveyed by the CEO of CrimeStoppers NSW, Peter Price AM, when he sat down with Eftsure recently to discuss the nature of global criminal syndicates.