Former Employee Charged with Fraud
Internal fraud can be notoriously difficult to catch. Staff often occupy trusted positions, with access to confidential systems. They understand how an organisation functions and where vulnerabilities exist in their internal controls.
So it was with Queensland man, James Douglas Pullen.
Over a four-month period, from September 2015 to January 2016, Pullen transferred funds 112 times from his employer, Dynamic Distribution Systems, to bank accounts he controlled. In total, he defrauded his employer to the tune of $231,411.48.
The deception was carried out by registering non-existent drivers in the company’s systems. He then generated false invoices for fictious services.
Efforts by the company to recover the stolen funds have only succeeded in recouping $35,500, leaving the company $196,072.88 out of pocket.
The clear lesson is that every organisation should have systems in place that mitigate the risks of internal fraud. Segregation of duties is a critically important control that makes internal fraud significantly harder. Additionally, eftsure’s automated solution matches your outgoing payments against our database of verified suppliers. This ensures that questionable transactions are flagged, helping you rapidly identify fraudulent activity by malicious insiders.
Property Buyers Continue to be Targeted
One thing is absolutely clear by now – scammers are continuously adapting their tactics to take advantage of any new opportunities.
With Australia’s real estate boom resulting in large sums regularly changing hands, scammers are out in force trying to defraud unsuspecting property buyers in Business Email Compromise (BEC) attacks. All too often, such scammers manage to evade capture. However, recently NSW Police succeeding in nabbing one suspect.
On September 23, a 30-year-old Ryde man was charged with defrauding a property buyer out of $783,912. The fraud was carried out by manipulating bank account details that were contained in a compromised email.
It is alleged that $500,000 of the funds were used to purchase cryptocurrency, gold bullion and other items.
NSW Police is advising people to:
- Have robust internal controls such as payment protocols that require two-person verification
- Educate staff on the prevalence and nature of BEC offending
- Be curious and challenge or verify changes to payments schedules by alternate means
- Have strong IT systems which detect malware or unauthorised access
Cyber Incidents Declining, But BEC on The Rise
In FY 2020-2021, the Australian Cyber Security Centre (ACSC) responded to 1,630 incidents, a decreased of 28% on the previous year, according to the Annual Cyber Threat Report.
Despite the improvement, one category of cyber-attack is having a greater impact on organisations: Business Email Compromise attacks. A total of 4,600 BEC incidents were reported throughout the financial year.
The report highlighted the increasing amount of financial losses related to BEC, with total BEC losses hitting $81.5 million, an increase of 15% on the previous year. Worryingly, the average loss for each successful BEC transaction jumped 54% to $50,600.
The ACSC is warning that cyber-criminal groups conducting BEC have likely become more sophisticated and organised, and these groups have developed enhanced, streamlined methods for targeting Australians. Because BEC often appears legitimate and rarely relies on malicious links or attachments, these emails can often get past security and technical controls, such as anti-virus programs and spam filters.
It highlights the importance of having controls in place to ensure you are only remitting funds to legitimate supplier bank accounts.
Watch Out for Typosquatters
Typosquatting is a practice that sees malicious actors create domain names that are almost identical to those used by legitimate organisations.
Typically, one or two characters in the domain are altered, for example replacing the letter “O” with a zero. Other tactics include creating a domain which uses a common misspelling of an organisation’s name, or using an incorrect Country Code Top Level Domain (such as .cm instead of .com).
Authorities in the United States claim to have disrupted a criminal syndicate that was engaged in sophisticated BEC attacks that made extensive use of Typosquatting.
Between 2018 and 2021, members of the group allegedly used phishing and social engineering techniques to gain unauthorised access to victim organisations’ networks and email services. Following extensive reconnaissance, they were able to identify outstanding invoices that needed to be paid.
Using Typosquatting tactics, it is claimed the group created fake email accounts purporting to belong to the suppliers who were owed funds. It is thought these email addresses were used to request updates to supplier banking details, resulting in payments being sent to bank accounts under the syndicate’s control.
Authorities claim the group targeted employees with access to company finances in order to trick them into making wire transfers to bank accounts that they thought belonged to legitimate suppliers.
It is critical that all the members of your Accounts Payable team are trained to carefully examine email addresses, particularly when the email is requesting any changes to supplier bank account details.
Having eftsure sitting on top of your accounting processes will provide you a critical last layer of protection, so even if sophisticated criminals are engaging in Typosquatting and impersonating your suppliers, you will be alerted with a Red Thumb notification that the banking details do not match with those in our database.