Accounts Payable Security Report: July 2022

Stepping Up Fight Against SMS Scams

A long-awaited code requiring telcos to step up their fight against SMS scams is now in force.

The “Reducing Scam Calls and Scam Short Messages Code” requires telecommunications companies to identify, trace, and block SMS scams.

The new code, developed following extensive industry consultations, is now being enforced by industry regulator, the Australian Communications and Media Authority (ACMA).

“SMS scams can be highly sophisticated and have devastating financial and emotional impacts for victims,” ACMA chair Nerida O’Loughlin said.

A recent report from Scamwatch highlights this trend. Between 1 January 2021 and 19 September 2021, Australians lost over $63.6 million due to phone call scams. In dollar terms, this represents almost one third of all scams reported to Scamwatch during the period.

Sophisticated cyber criminals have the ability to spoof legitimate phone numbers. This technique has been used by fraudsters to deceive Accounts Payable teams into thinking their company’s CEO or CFO is sending them instructions to process payments.

Despite efforts to block scam SMS messages, AP teams should never assume that a phone or SMS message is legitimate. A call-back should always be initiated before any payments are processed to verify the authenticity of the message.

New Security Hub for SMEs

Industry body, CA ANC (Chartered Accountants – Australia New Zealand) is stepping up to assist small and medium businesses in their fight against cyber-crime.

Its new cyber-security hub aims to help SMEs prevent, prepare for – and if it happens – recover from cyber-attacks.

“Attempted robbery, blackmail and fraud have always been a big issue for small businesses, but these days criminals are trying to get in via the laptop rather than the back door,” said Ainslie van Onselen, CEO of CA ANZ.

“When it comes to cyber-crime, it’s a matter of when, not if, someone will try something against your business.”

CA ANZ’s new cyber-security hub will help SMEs assess risk and create a cyber plan, focusing on:

1. Application whitelisting – allow only trusted software to operate
2. Patch applications – security vulnerabilities fixed within 48 hours
3. Configure Microsoft Office – block macros from the internet or those that are unapproved
4. User application hardening – configure all users’ software to enhance security
5. Restrict administrative privileges – to operating systems and applications to few users
6. Patch operating systems – patch devices rapidly with extreme risk vulnerabilities
7. Multifactor authentication – to access all networks and cloud apps and services
8. Daily data backups – backup important new or changed data and test recovery

This important new initiative from CA ANZ promises to be a significant help for many SMEs. However, given that Business Email Compromise is the most prevalent type of cyber-crime, any cyber-security planning should also include specific measures to mitigate the risk of misdirected payments.

Vishing Scams on the Rise

Scammers never rest on their laurels. Now researchers are seeing them resort to a new type of attack technique – voice-based phishing attacks known as “vishing.”

In this attack vector, scammers send false invoices via email. In the email, the scammers falsely claim that a credit card has been charged for a fictitious purchase order (PO). The email recipient is instructed to call a phone number should they wish to dispute the charge.

Once the target calls, they are asked for bank account information, login credentials, or other personally identifiable information.

The scammers are known to impersonate major IT companies including Amazon, Apple, PayPal, and McAfee in their emails. They are known to use the QuickBooks’ free 30-day trial offer to set up fake accounts from which to send the fraudulent emails, thereby evading most detection tools.

To prevent falling victim to such scams, it’s critical to independently source any phone number for any organisation you need to call in order to verify any transactions. Never rely on phone numbers contained in emails, as the email may not be legitimate.

Read our guide to call-backs to learn more.

Payment Fraud to Exceed $343B

The cost of global online payment fraud is expected to soar to over $343 Billion over the next five years, according to a recent report by Juniper Research.

Online payment fraud attacks can include phishing, Business Email Compromise and socially engineered fraud.

According to the report, online payment fraud losses are being driven by fraudster innovation in areas such as account takeover fraud, where a user’s account is hijacked. This is despite the wide employment of identity verification measures.

Click here to learn how you can prevent account takeover, or ATO, fraud.

The research found that in order to combat rising fraud, organisations must implement the right mix of verification tools. A defence-in-depth approach, in which multiple layers of security controls are in place, remains the best strategy for protecting your organisation.