Scammers use DocuSign API to send fraudulent invoices
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Over the past eighteen months, Victorian government departments have faced a series of cyberattacks that altered vendors’ bank details held in a central database. According to a report by the Auditor-General’s Office (VAGO), there were four notifications of such changes in vendor master files.
The concerning revelation comes as part of a wider audit and report on the VIC government’s procurement processes, which concluded that, “All departments have processes for investigating fraud and corruption incidents when they have been alerted to them. But only two departments use data analytics to flag unusual or suspicious activity to proactively detect risks.”
The report further breaks down the discrepancies between departments and their anti-fraud control procedures, urging slow adopters to consider more proactive, technology-enabled ways to monitor fraud risks.
A vendor master file (VMF) is a database containing detailed information about an agency’s suppliers, including bank account details, Australian Business Numbers (ABNs), and invoice records. It’s foundational to everything from business-to-business transactions to tax and GST reporting. Most crucially for VAGO’s auditing scope is the central role that VMFs play in secure, transparent financial transactions – which is why the file needs to be protected with robust data protection policies and anti-fraud controls.
However, the recent report and the cyberattacks illustrate just how few organisations have appropriate guardrails and protections for this data. And government agencies aren’t alone – at Eftsure, we know from experience that many businesses don’t keep clean VMFs or design control procedures to keep the information secure. This isn’t because those businesses are lazy or negligent, it’s because keeping VMFs up-to-date manually is a time-consuming, labour-intensive process.
While the problem is understandable, it still creates vulnerabilities that cybercriminals are keen to exploit. Researchers have even flagged that scammers are using malicious artificial intelligence (AI) tools to alter key financial information more quickly and efficiently than ever.
So it’s no surprise that VAGO is urging VIC departments to rethink and beef up their anti-fraud procedures.
VAGO used its report to stress the importance of adopting data and analytics to detect fraud and corruption risks. According to its report, this proactive approach is already being employed by some departments but needs broader implementation across the board.
Two departments that have set an example are the Department of Jobs, Skills, Industry and Regions (DJSIR) and the Department of Transport and Planning (DTP). According to the VAGO report, these departments currently utilise data analytics to proactively identify fraud and corruption risks before awarding supplier contracts. For instance, DTP employs specialised software that verifies the legitimacy of suppliers’ details and checks bank account information against employees’ bank details. This thorough scrutiny helps to mitigate the risks of fraudulent activities.
VAGO’s report recommends that all departments adopt regular data analytics reviews to assess their procurement activities for potential fraud and corruption risks. At a minimum, this involves collating and centralising data for thorough export and review processes.
The report also highlights that three departments have yet to implement a data analytics program to test their fraud and corruption vulnerabilities, with departments citing competing priorities and a lack of resources as the main obstacles.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
US construction and government sectors lost $7.7 million in BEC scams. Learn how fraudsters exploited financial controls and how finance leaders can protect their organisations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.