Below are the questions that were asked during the webinar: “Accounts payable teams are under siege by cybercrime syndicates” co-hosted with PwC on the 29th of October 2020. Our Chief Risk Officer Mark Chazan provided detailed answers.
About the webinar session
Accounts payable are constantly under siege. Remote working due to COVID-19 has further weakened IT and financial control environments, causing stress on staff and traditional payment processes. Using psychology as much as technology, fraudsters infiltrate and weaponize either suppliers’ or your colleagues’ email accounts to defraud your business. In the session, we look at how your AP and finance teams can enhance controls to mitigate risk of falling victim to cybercrime. Watch the recordings.
Through the fraudster bank account, can the police identify the real fraudster?
Unfortunately, they usually cannot be identified by the bank. External fraudsters rarely use their own bank accounts. They have various ways of getting the funds – the most common being the following:
- “Mule accounts”. They place ads in various places online or in flyers, newspapers etc offering lucrative “work from home” jobs. They entice people by saying things like. “Earn thousands of dollars aa week doing a couple of hours a week working from home”. On enquiry, the applicants are told a vague story of helping their multinational company remit funds overseas as it “saves them fees” or is “more efficient for their business” or “it adds security to their processes to have independent people do this” or any other invented story. They tell the applicant that they will receive money into their account and be notified by the company when it happens. At that time, all the applicant has to do is transfer 90% of the received funds to an international account (or intermediary like PayPal) – details of which the fraudster will provide. The applicant is told that they can keep the balance (10%) as payment. Alternatively, depending on the amounts involved, they ask them to withdraw the cash at ATMs and use services like Western Union to transfer it overseas. Sometimes they just get them to transfer it to another “mule” account where funds are accumulated before being withdrawn or transferred. In other cases they produce counterfeit cheques drawn on the mule accounts that they then cash (through other “mules”)
- They compromise other people’s bank accounts with Phishing attacks to get their credentials and operate those accounts to make international payments to regions where it is much easier to open up bank accounts with fake ID.
- They get malware installed on targeted accounts and then transfer the funds to those accounts. The malware sits dormant until the real user logs in to their account and the malware activates and in the background triggers an international transfer.
- In some cases they transfer the funds arriving in the compromised account to a credit card and then use that credit card for purchases of expensive items which are then sold.
- They often push the money through multiple mule accounts at multiple banks before sending overseas because it becomes more difficult to follow.
- They steal peoples Identity and open accounts in their names and use those accounts.
What’s the chances of recovering the money from fraudulent payment, if the fraudster account is local/Australian based?
Usually very low. It depends on how quickly the person realises they have been defrauded. The criminals typically act very quickly to get it moved from the account it lands in to other mule accounts which then gives the fraudster more time to extract and/or send overseas.
- If the victim of fraud notifies the bank immediately and the fraudulent account is held at the same bank and the bank acts immediately they can freeze the funds. In that case there is a reasonable chance of recovering the funds however it is not straightforward to do so even in this case -see below.
- If however the victim doesn’t realise within a few hours it becomes very difficult to recover anything because by then the funds may have been moved multiple times and with the New Payment Platform (NPP) these transfers can clear instantly (although some banks have instituted some delays for NPP payments to accounts that haven’t been paid before).
As noted above however, even if the banks are able to freeze the funds, it is often still very difficult to recover the funds due to privacy and rules around pulling funds from accounts. This manifests as follows:
- Say the victim banks at Bank A and the funds were transferred to a fraudulent account at Bank B and assuming the victim reports it to their bank (Bank A) before it is moved out/overseas from Bank B. Then in this case:
- Bank A notifies Bank B
- Bank B freezes the account
- Bank B then needs to contact the owner of the account.
- The owner of the account often simply ignores the request or claims the money was paid to them legitimately (esp for cases based on stolen ID).
- If the above happens, Bank B usually cannot legally take the money back from the fraudulent account (without the account owner’s permission)
- Bank B tells Bank A to tell the victim they need to take legal action against the holder of the account however due to privacy laws, Bank B is not permitted to disclose to Bank A and the victim who the holder of that account actually is. Remember the Payee name the victim used is not the name of the account that the funds landed in.
- The victim then needs to try and sue/take legal action against the party but have no way of identifying the party.
- In such circumstances banks occasionally through a goodwill gesture will refund some or all of the funds (depending on the relationship the bank has with the customer, whether they are an important client, whether the case is in the press, the amount in question etc ). It is important to note that the bank is not legally obliged to do this and use their discretion in doing so.
How in Australia is a fraudster able to set up a bank account, that cannot be linked back to an individual or company?
See above answers re fraudsters using Mule accounts. Additionally, ID theft has become extremely common and people open up and operate accounts online in other people’s names using their documents.
What sort of % of scams would EFTSURE pick up? are there ever instances where they slip through your processes?
To date none of our customers using eftsure in accordance with our recommended best practice have ever had a scam pass through the system without eftsure picking it up and preventing the fraud. We are constantly evolving and improving the system as new threats and scams emerge in order to provide the best protection we can to our customers. It is important to note that eftsure is not designed to address every potential type of fraud or scam that people perpetrate (eg romance scams, share manipulation scams or numerous other types are not something that eftsure addresses.) eftsure is specifically designed to protect business to business payments and improve the workflow and efficiency of those systems. It is a tool to augment best practice not replace all other controls. We see eftsure as boosting an organisation’s controls from say a level of 90% effective to 99% effective in the area that eftsure operates. No tool or process will ever be 100% foolproof. Similar to antivirus programs not being able to nor expected to stop every possible virus, we can’t guarantee we will stop every possible fraud but just as a responsible business wouldn’t run their computers without antivirus protection, we believe businesses shouldn’t run their payments without payment protection software.
What happens where a fraudster uses the eftsure verification platform and enters their own fraudulent details, but the real and true supplier is a new supplier and hasn’t been verified by the crowd as yet – how do new businesses get ‘started’ within the crowd and how are the fraudulent details avoided in that instance?
In the question we assume that when you refer to the fraudster using the eftsure verification platform, you are referring to them intercepting the email that went to the new business and fraudulently entered their details into our platform. In that case this is addressed in the following way:
When a company onboards a new business that is not in the crowd, they send an invite to the business (through the eftsure platform) and the recipient fills in the information in the eftsure platform. Since the supplier hasn’t previously been verified and is not in the crowd, the supplier can:
1 choose to verify through the bank link in eftsure where they would log in to their bank and the system will directly retrieve their BSB and Account number and Business name for the account from the bank. The business name will be compared to the business and trading names registered in the Australian Business registry against the relevant ABN. This ensures that the account name, number and ABN all represent the same company that our customer is onboarding.
2 Or, if the supplier doesn’t use banklink, eftsure independently sources a phone number for the business and calls the supplier to manually verify their details.
Note that in both cases our customer can include the mobile number of the new supplier they are dealing with on the invitation to the supplier. This introduces a second factor check so that when the supplier fills out the details on the eftsure portal they will be sent a one time password by sms to complete the submission to prove it is the correct person filling out the form.
If in the above case the fraudster intercepted the email and was entering their details, then eftsure would pick up the fraud in the following ways:
1 The fraudster would be unable to enter the one time password that was sent via SMS to the real supplier – in this case the real supplier is also alerted that there is something wrong.
2 If the fraudster used the banklink, the system would fail the onboarding because the business name of the account retrieved from the bank would not match the business name (or trading name) of the retrieved from the ABR for the legitimate supplier’s ABN
3 If the fraudster didn’t use banklink, eftsure would independently source a phone number of the legitimate supplier and call the supplier to check – the real supplier would say the details are false.
Why can’t the banks put the securities in place to cross reference the payee with the bank account it is going to, when the private sector can come up with the programmes to safe guard customers.
The difficulty the banks have in doing this relates to the following:
1 The problem arose because historically people would bank cheques and the bank teller would check the identity of the payee. The back end systems in the bank were designed with an inbuilt assumption that the name check had therefore been done (ie the name on the cheque matched the person depositing it) and they could process payments purely on the basis of BSB and account numbers. When online banking was introduced, it used the same back end system – the assumption inherent in the back end software was therefore invalidated because nobody was checking the payee name. It was used as an informational field only. It also had relatively small limits on the number of characters that could be entered.
2 For the next 25 plus years the system proceeded on this basis with the names never being checked.
3 In the meantime, many businesses were acquired, merged, changed names, used different trading names etc. Furthermore many were owned by trusts and many names were stored in accounting systems that truncated the full name. Many names were incorrect, abbreviated, misspelt etc. This means that the data in the accounting and ERP systems of companies have numerous variations on the actual account name and often bear no resemblance at all to the official recorded bank account name that the bank has on record. Many sole trader names are joint accounts. Many businesses use factoring companies so the payer is actually legitimately paying a different company but they the name they use in the account field is the company that provided them the goods or service.
4 Each bank only has the official bank account name of the accounts held at their bank so eg if you have a Westpac account and are paying a CBA account, Westpac has no visibility of the account name held at CBA.
5 There are numerous hurdles to banks “sharing” their account names held and building a system to address this including but not limited to:
- Privacy – disclosing to another bank the name of your bank account without explicit permission is an issue
- Competitive pressure – banks do not want to disclose their customer list to other competitors even if the privacy hurdle is overcome.
- The technology build, governance and costs in getting all banks to agree to share the data and build the system to do so is extremely expensive and politically difficult to get agreement.
- The banks are not actually liable for these frauds (it is the payer) so it is very hard to get the business case approved in each bank to justify this expensive and difficult project vs competing profitable projects.
- Unless every bank implements this, the fraudster will just use accounts at the bank(s) that aren’t participating so can’t be checked.
- Key to this is the fact that even if they did all this, it has been estimated by some banks that because of the fact that most account names in business accounting and ERP systems are incorrect (see point 3 above) if the banks rejected payments that didn’t match the official bank account name, 80% of legitimate payments would be rejected. Alternatively if they didn’t reject them and just warned the user, the user would have to make the same decision and carry the liability.
6 A system called confirmation of payee (COP) that attempts to do this check has been rolled out by a number (but not all) of banks in the UK recently. This was forced on the banks by the regulators in the UK (and took many years to achieve) and whilst it is helpful in many scenarios, they are experiencing all the issue mentioned above (plus more) and significant accounts are “don’t know” status. Furthermore, they only implemented it at the time of setting up a payment (not on every payment) which has major limitations and additionally was only implemented for consumer accounts. Business payee accounts are not normally setup in the banking system but rather paid in batches like in Australia so the checks need to be done at the point of payment but this is significantly more complex.
There are a number of other complexities (not detailed here) relating to this and as such there are not current plans for Australian banks to attempt this. eftsure uses a different approach which is a different model to the banks ie eftsure’s model leverages the businesses themselves to provide the source data and then eftsure individually calls or uses our other methods to provide this verification information and importantly protects the business right through the payment lifecycle from onboarding through to payment. This is a completely different business model to the way the banks operate and that is why some banks instead have partnered with eftsure to recommend eftsure to their customers.
The banks open AUS bank accounts into which payments go to (in my experience) so why can they not prosecute their “customer” who is the fraudster. And advise the victim of what action has been taken?
See above answer to Q1 above. In addition when they do manage to prosecute the “customer” the “mule” has already moved the funds overseas and don’t have it anymore and often irrecoverable. These “mules” are usually unsophisticated inexperienced people who didn’t understand that they have been duped into money laundering. Often these are young teenagers or retirees but it can be anybody that is taken in (either knowing something is not quite right or not realising at all.)
In addition, the police advise that the banks are not cooperative or timely in getting information to the Police for their investigation.
This is also a problem but often related to Privacy restrictions too.
Is there many precedents yet about who is liable in the case of loss arising from business email compromise? The business that makes a payment in good faith in response to an email from the supplier’s own domain, or the supplier because the client didn’t make the appropriate level of checks?
There are a number of cases internationally that set the precedent that the payer is liable for the loss unless it can be shown that the legitimate recipient was knowingly involved in some way with the fraud. The onus is on the payer to ensure that they have the correct details. In Australia there are some cases slowly moving through the courts but the prevailing view is that the Payer is liable.
Are you in the USA, or will you go to the US?
We are not currently selling the solution in the US but do plan to expand there in time. Currently eftsure is available in Australia, South Africa and will shortly be available in New Zealand. We do also currently support verifying payment details for Australian companies to a number of international countries including the USA.