Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Since news broke of the Optus breach last month, many Australians have become acutely aware of the risks they face when their identity documents fall into the wrong hands. If there is a silver lining to the Optus breach, then this is it. For the first time, identity theft is a genuine, tangible concern for millions of people. They now understand how identity verification can quickly morph into identity theft.
Many Australians will now think twice before readily handing over personal information, such as their driver’s licence, Australian passport or Medicare card. The simple act of handing over 100 points of ID to anyone requesting it could set the scene for years of attempted fraud, destroyed credit ratings and financial anxiety.
Yet one fact remains: many organisations need to collect identity documents because they have a valid need to verify the identities of the people and third-party entities with whom they need to interact.
Perhaps the time has come for a new approach?
Is it time to shift away from relying on identity documents? Could there be a better way to carry out the identity verification process on an individual, or an entity, that does not rely on taking photos of documents and emailing them to strangers?
In this blog, we explore the question of identity verification in the context of Accounts Payable. In coming years, AP teams could lead the way in forging a new approach to identity verification.
Anytime we open a bank account, take out a loan, or pretty much undertake any type of financial transaction, we are asked to provide 100 points of ID.
It’s worth considering why this is the case.
The notion of 100 points of ID stems from the Financial Transactions Reports Act (1988), and the subsequent Financial Transactions Reports Regulations (1990).
The purpose of the 1988 Act, and subsequent 1990 Regulations, were to combat financial crimes, such as fraud, whether by individuals or other entities, in Australia. Below we will consider whether our current approach is still fit for purpose, considering the fact that fraud has inexorably shifted to online environments.
The 100-point system allocates a specific number of points to different types of identity documents. Identity is verified by adding up the point value of each identity document until it surpasses 100.
Identity documents are divided into Primary and Secondary categories. Different types of documents within the Secondary category have different point values.
As you can see from this list, if the Optus hackers obtained your passport (70 points), driver’s licence (40 points) and Medicare card (25 points), they would have a total of 135 points of ID – more than enough to engage in comprehensive identity theft!
The 100-point system outlined above was developed at a time when financial crime, such as fraud, was primarily analogue.
However, we now live in a digital age.
Fraud has shifted to the online world. Cybercrime now represents a far greater threat to people and organisations. In an age of global cybercrime syndicates, it is time to seriously question whether 100 points of ID is up to the task of satisfying document verification requirements.
After all, if all our identity documents are being digitally collected and stored by a myriad of different organisations, each with varying levels of encryption and security, it stands to reason that the risk of a malicious actor gaining access to them is significantly higher. Once a criminal is armed with 100 points of ID, the path is clear for them to engage in serious cyber fraud using their identity.
The time has come for a new approach to identity verification.
When it comes to identity verification, Accounts Payable (AP) are particularly at risk.
In our digital economy, many AP teams are tasked with processing hundreds, if not thousands, of invoices each year. Yet, AP staff face the very difficult challenge of knowing to whom they are sending money. This is because cybercriminals regularly target AP teams by engaging in invoice manipulation scams.
They hack into email systems, identify supplier invoices, and manipulate the BSB and Account Number information in the invoices. Unsuspecting AP staff end up sending payments to bank accounts controlled by cyber fraudsters.
Even if AP staff had the resources to obtain 100 points of ID from everyone they needed to pay, how would they be able to trust that the documents were authentic? How could they be certain that the digital ID documents weren’t stolen or fabricated by the cyber fraudsters?
In theory, AP staff could request each supplier provide them with a document issued by an ADI, such as a bank, stating that the supplier is a known customer of at least twelve months standing. The letter could confirm their BSB and Account Number. Such a letter would be worth 40 points of ID. Once the AP team receives such a document, they could proceed with processing the invoice.
However, not only would this be highly inefficient, it wouldn’t offer any real protection. Cyber criminals could easily steal or fabricate such documents, leaving the AP team exposed to theft.
Eftsure is committed to empowering Australian organisations.
Our approach is to equip AP teams with the information they need to determine with certainty the true identity of the entities they are paying.
We don’t do this using antiquated approaches such as 100 points of ID, which was developed for a pre-digital age. We do this using our unique approach called Multi-Factor Verification.
How does Multi-Factor Verification work?
Put simply, we aggregate bank account data from thousands of Australian organisations. In fact, data from over 90% of active Australian corporate entities are aggregated into our proprietary database.
When data from multiple independent sources aligns, it provides a very strong level of assurance that the data is accurate.
In other words, when your AP team is paying a supplier, they crossmatch the supplier’s bank account details against our database. In real-time your AP staff will see whether other organisations have been successfully paying the same supplier using the same banking details without encountering any problems. If so, you can rest assured that you are sending funds to a legitimate bank account.
Our approach is the way of the future for identity verification. It is not reliant on a single source of truth. Instead, it embraces a distributed approach that pulls together data from many different, independent sources.
When all the information aligns, we can have confidence that the information is accurate.
Multi-Factor Verification makes it almost impossible for cyber criminals to fraudulently assume the identity of another person or entity because identity verification no longer depends on a passport, driver’s licence or Medicare card.
Identity verification is achieved by bringing together many thousands of sources of information, which cybercriminals are powerless to steal.
To learn more about Eftsure and how we can safeguard your AP team at a time when identity theft and cyber fraud are rampant, download our Multi-Factor Verification Guide.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
US construction and government sectors lost $7.7 million in BEC scams. Learn how fraudsters exploited financial controls and how finance leaders can protect their organisations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.