Each month, the team at eftsure monitors the headlines for the latest cyber & accounts payable news. We bring you essential learnings in our Accounts Payable Security Report to help your organisation manage payments securely.
Australian businesses are confronting a dramatic five-fold increase in year-to-date payment redirection scams, compared to the same period last year.
These statistics are based on reports to the Australian Competition and Consumer Commission’s ScamWatch.
In payment redirection scams, such as Business Email Compromise (BEC) attacks, fraudsters impersonate a business or its employees via e-mail. They then request that money, which usually is owed to a legitimate supplier, is sent to the fraudster’s account.
To counter the rising tide of payment scams, the ACCC urges all organisations to ensure their staff, particularly junior staff, are aware of the threat.
“Payment redirection scams impact businesses across many industries, including real estate, construction, law, recruitment, and universities,” ACCC Deputy Chair Delia Rickard said.
“Scammers tend to target new or junior employees, or even volunteers, as they are less likely to be familiar with their employer’s finance processes or the types of requests to expect from their supervisors.”
“We recommend organisations ensure their staff are well trained in the company’s payment processes and remain aware of payment redirection scams,” Ms Rickard said.
Invoice manipulation not only costs victims substantial amounts of money. It can also severely damage a business’s reputation.
Recently, a number of Tesla customers were sent invoices via e-mail for the purchase of electric vehicles. In one instance, Perth resident, Andrea Hammond, was e-mailed an invoice to pay $74,647.62.
What Andrea did not realise was that the e-mail from Tesla had been intercepted by hackers, who had altered the bank account details in the invoice. Once she’d paid the money to the fraudulent bank account instead of Tesla, there was no way for Andrea to recover the funds.
“I absolutely cannot understand why Tesla don’t do the invoicing in the payment system through a secure website,” Andrea said. “Instead, I was sent an unsecured, editable invoice that anybody could get into and change the numbers, so the hackers didn’t have to create a new invoice”.
Brand reputation is a critical asset for any organisation. When your customers, suppliers or other commercial partners experience payment fraud due to avoidable scams, it can severely undermine your brand reputation that you’ve spent years building.
Don’t assume that e-mail security technologies in your environment will protect your organisation from sophisticated scammers. Recent cases have highlighted the fact that e-mail security technologies, many of which claim to block Business Email Compromise (BEC) scams, may be vulnerable to hackers.
SonicWall Email Security is a platform that claims to protect e-mail traffic and communications by preventing phishing and BEC attempts.
In late April 2021, three separate zero day vulnerabilities were identified in the platform that were being actively exploited by hackers. A zero day is a vulnerability that had previously not been identified.
The three vulnerabilities could allow a malicious actor to create unauthorised admin accounts, read files from a remote host or upload arbitrary files to the application.
According to security researchers, the vulnerabilities have been exploited in an attack chain to obtain administrative access and to execute code on vulnerable SonicWalls products, including the installation of a backdoor, file exposure, and to achieve lateral network movement.
With such access, it would be easy for attackers to manipulate the supplier banking details in your systems, paving the way for payment fraud.
Your staff may be your most significant fraud challenge.
That’s the key takeaway from a survey of over 70 businesses by KPMG in which 62% of respondents identified insider threats, mostly from employees, as their most significant fraud challenge.
Whilst 72% believe the risk of fraud increased with staff working from home during the pandemic, many believe fraud will continue to be a problem even when staff return to the office.
An overwhelming 92% also believe that cyber-related fraud represented the biggest challenge.
Everybody likes to think they can trust their employees. However, the reality is that cases of employees engaging in cyber-fraud against their organisation do occur from time to time.
With eftsure in place, your organisation can mitigate the risks posed by insider threats. Not only will you be able to ensure that EFT payments are directed to intended recipients, but you will also be able to maintain comprehensive audit trails of all activities to easily identify malicious internal activities.
Whilst ransomware dominates cyber news, Business Email Compromise (BEC) actually costs organisations much more.
That’s the finding of the FBI’s recent “Internet Crime Report“, which found that the cost of BEC attacks in the United States alone amounted to $1.8 billion in 2020. By contrast, the cost of ransomware over the same time was just $30 million.
The report notes that this ransomware figure only relates to the actual cost of ransoms paid, and not any other associated costs such as lost business and damage to ICT systems. Furthermore, not all ransom payments are reported to the FBI.
The FBI also reports 19,369 BEC victims in 2020, versus 2,474 ransomware victims.
The report also found that whilst the overall number of BEC victims was down on the previous year, the costs actually rose. This indicates that scammers are being more discerning in targeting high-value victims.
This report serves as an important reminder that organisations must not neglect having appropriate measures in place to protect themselves from the threat of BEC attacks.