Accounts Payable Security Report: June 2022

BEC Leads to ‘Serious Harm’

Australia’s Notifiable Data Breach (NDB) Scheme is designed to protect individuals whose personal information has been compromised as a result of a data breach.

Companies and not-for-profits with revenues exceeding $3 million per annum, as well as a range of other entities, are covered by the scheme. In a situation where one of these entities experiences a data breach, there are a range of steps that must be followed. Steps include notifying the Office of the Australian Information Commissioner (OAIC), as well as any individuals likely to suffer ‘serious harm’ as a result of their personal information being compromised.

But what exactly constitutes ‘serious harm’?

According to the OAIC, there is no strict definition of ‘serious harm.’ However there are a range of factors to consider in determining whether a data breach is likely to result in ‘serious harm’ for impacted individuals.

These factors may include serious physical, psychological, emotional, financial or reputational harm.

The OAIC is now advising that Business Email Compromise (BEC) attacks may fall under the remit of the NDB Scheme.

BEC is an attack vector in which malicious actors seek to deceive Accounts Payable (AP) staff into sending payments to bank accounts controlled by the attackers. They often do this by manipulating supplier invoices.

According to advice from the OAIC, a BEC attack could also represent an incident that falls under the remit of the NDB Scheme if any malicious emails reveal the personal information of innocent third-parties.

Consider the following scenario:

Through a successful phishing exercise, a malicious actor gains access to the email account of an individual in an organisation’s Accounts Receivable (AR) department.

The malicious actor uses that email account to send fake invoices to all the organisation’s clients.

However, the contents of the malicious actor’s emails also contain copies of identification documents, such as driver’s licences and passports, belonging to third parties.

The inclusion of identification documents made this an incident that could result in ‘serious harm’ to the individuals whose driver’s licenses and passports were included with the malicious emails.

As a result, a BEC attack of this nature would fall under the remit of the NDB Scheme. Both the OAIC and the individuals likely to experience ‘serious harm’ would need to be notified.

When investigating a BEC attack, CFOs need to also be on the lookout for any evidence of sensitive information being breached. As an officeholder in an entity covered by the NDB Scheme, you must be aware of your obligations to report such incidents to the OAIC and impacted third-parties.

SMS Scams Soar

Following the introduction of new measures by Australian telcos to address a plague of phone scams, criminals are shifting to SMS scams in their attempts to defraud unsuspecting victims.

For some time, criminals have been implementing a range of phone scam tactics. These include Deep Fakes in which the latest AI technology is used to allow individuals to impersonate another person over the phone. Attackers are known to impersonate an organisation’s CEO or CFO in order to trick Accounts Payable staff into making false payments.

Criminals are also manipulating phone numbers in invoices, so when AP staff conduct call-backs, they end up verifying bank account details with the very scammers who are trying to defraud you.

According to reports, we are now seeing a surge in SMS scams.

The Reducing Scam Calls code was introduced by the Australian Communications and Media Authority (ACMA) in December 2020. It has seen telcos block over 549m scam calls since its inception.

However, according to the Communications Alliance CEO, James Stanton, the reduction in phone scams is leading to a rise in SMS scams: “The difficulty is that the scammers are incredibly agile. As soon as they see one avenue being blocked they’re very good at finding a new one to exploit. So it’s a constant car chase to try to prevent that activity.”

Data shows that SMS scams increased by 54% over the previous year.

Many of the SMS scams relate to fake crypto-investments. However SMS scams are also routinely used in the delivery of malware.

A new code is set to be implemented later this year that will attempt to tackle SMS scams in a similar way as the scam phone call code. A draft code is now being reviewed by ACMA.

It is essential that all Accounts Payable staff are aware of the risks of SMS scams. Malware delivered via SMS can be used to access sensitive work emails stored on mobile devices. Fake payment instructions sent from spoofed numbers are also a risk. Any payment instructions sent by SMS should be carefully verified before being actioned.

BEC Ringleader Busted

In another win for international law enforcement, the ringleader of an alleged Nigerian Business Email Compromise (BEC) syndicate has been arrested.

Operation Delilah was launched in May 2021 by Interpol. Following a year-long investigation, a 37-year-old man has been charged with running a criminal syndicate tied to BEC and phishing campaigns.

According to reports, the governments of Australia, Canada, Nigeria and the U.S. assisted in the investigation, which was coordinated by Interpol’s Africa desk, dubbed the African Joint Operation against Cybercrime, or AFJOC.

The arrest was made possible thanks to extensive cooperation between law enforcement agencies and private sector cyber security companies who shared detailed threat intelligence.

Learn how CrimeStoppers is working with Interpol to try and stop global crime syndicates.