Online B2B payments are convenient for businesses and their suppliers, but they are also notoriously vulnerable to a range of security risks. All too often Australian organisations fall victim to fraud or internet banking scams. It’s no surprise that during the 2020-21 financial year, the ACSC observed over 67,500 cybercrime reports – many involving Payment Redirection or Business Email Compromise attacks.
For many CFOs or Accounts Payable (AP) managers, the initial response to discovering you’ve been defrauded is panic. Knowing what to do or where to get help can be bewildering. In this blog, we’ll unpack the nature of these scams and the time-critical steps you need to take to help you recover funds stolen through cyber fraud.
Many businesses make thousands of electronic payments to suppliers, vendors, and other entities. However, busy AP teams struggle to verify the BSB and Account Number of every supplier they are paying. Verifications are both time consuming and prone to errors.
Even if suppliers are verified during onboarding, malicious actors may manipulate a supplier’s banking information prior to a payment being processed. That’s why you need continuous verifications, the absence of which poses a serious security risk.
Scammers are actively seeking ways to infiltrate your email accounts, ERP systems and ABA files. That’s why it’s important to verify every transaction immediately prior to processing a payment. Scammers have an increasing array of sophisticated tools and tactics at their disposal – making the job of your AP staff harder than ever!
To combat this, organisations must implement an ongoing, continuous verification process.
It’s only a matter of time before a business that doesn’t verify B2B payments falls victim to scammers and cyber criminals. Attack vectors can include business email compromise, phishing attacks or identity theft. On a daily basis, Australian businesses are being robbed of tens of thousands of dollars due to unauthorised transactions.
Once you have identified a scam, it is critical that you immediately take action. Financial institutions have a very narrow window of time during which stolen funds can be blocked and recovered. Any delay on your part will make it impossible to recover your stolen funds. It’s essential you follow these seven steps as soon as you identify a fraud incident.
It’s important to contact your bank immediately if you have fallen victim to cyber fraud or if you suspect cyber criminals have compromised your financial information. Below are the fraud incident hotlines, so you can contact the four major banks in Australia:
Ensure you collect and document as much information as possible in the event of cyber fraud, including names, personal details, social media interactions (if any), email addresses, phone numbers, credit card information, digital currency exchanges, receipts, phone call interactions and records of other types of payments. The more detailed information you can provide your financial institution, the greater the likelihood they will be able to track down your funds.
It is also recommended by the banks that you forward suspicious email and SMS messages to your financial institution.
It is critical to understand that Australian banks don’t assume any liability for stolen electronic funds transfer payments. At best they may be able to stop and recover outgoing funds, if it isn’t too late.
Report a cyber crime to your local state/territory police immediately if the scammer has compromised sensitive financial information or stolen your money. Below are some examples of when to contact the police:
Those not directly impacted by a cyber crime, but who nonetheless have information relating to a specific incident, can report information about the fraud to Scamwatch.
You should urgently consult an I.T. professional if you suspect any suspicious activity. Your existing security tools may not be capable of detecting cyber crimes that involve deceiving your staff into processing fake payments. All too often, cyber fraud is only detected after the damage has already been done.
That’s why it is crucial to communicate with your I.T. administrator if you suspect any malicious behaviour. I.T. professionals will investigate how the cyber crime was executed, whether any email accounts are compromised, and examine logs in an attempt to pinpoint the source of the crime. Evidence will be crucial in determining whether the fraud originated internally or due to an external threat actor.
Internal threats to I.T. systems are an increasing risk for many organisations. These can occur when staff are unaware of the appropriate security measures or when malicious intent is involved. Some steps can be taken to guard against internal threats including:
Scamwatch or the Australian Cyber Security Centre might have information helping you identify the crime syndicates behind your cyber fraud, particularly if other Australian organisations have experienced similar incidents in recent times. Depending on the nature of the cyber crime, you should quickly report the incident to the relevant cyber security authorities. See below for more information on who to report to based on which cyber crime:
In Australia and New Zealand, IDCARE is the national identity and cyber support service that helps people and organisations with concerns about identity theft or cyber crime. They provide an effective response plan and mitigation when it comes to your personal information or identity being stolen.
Contact IDCARE to develop a specific response plan tailored to your situation and support you throughout the process. All contact information can be found on the IDCARE website.
Crime Stoppers Australia combats a broad spectrum of criminal behaviour, including cyber crime. Cyber crimes include internet fraud, phishing scams, identity theft, cyberstalking, and more. Crime Stoppers works with law enforcement in other jurisdictions through Interpol in an effort to track down and stop the global criminal syndicates that often perpetuate such offences.
As an independent body, they are able to assist you, and the wider community, in anonymously sharing information about crimes of concern and criminal activity.
Get in touch with Crime Stoppers Australia today to share your experience with an unsolved crime or suspected cyber criminal activity by visiting Crime Stoppers.
Having cyber liability insurance can protect your business from the aftermath of a cyber attack and data breach in certain circumstances. Reporting your situation to your cyber insurance provider will help you deal with the costs and expenses related to the attack.
Your provider can contribute to financial protection by covering:
Cyber policies will generally cover operations losses, such as business interruptions, but many will not cover cyber fraud that they deem to have occurred due to human factors. If they determine a cyber fraud incident was directly caused by human error, you may discover that your cyber insurance doesn’t cover the losses.
Recovering funds stolen through cyber fraud is, at best, a long shot.
In the aftermath of a fraud incident, you will find yourself mired in a painful process that will take months to resolve – and at the end of this process you still may not have recovered your stolen funds. Even if you report the scam as soon as possible, there’s no guarantee of a successful outcome.
That’s why preventing cyber fraud is critical.
With Eftsure sitting over your accounting processes, you no longer need to worry that supplier banking data is being manipulated. You gain the ability to securely process electronic funds transfer payments without worrying that you are inadvertently sending money to cyber criminals.
Eftsure’s unique database comprises banking data from over 90% of actively trading Australian corporate entities. This gives your AP staff an easy way to identify scams and fraud, as well as prevent erroneous payments.
Eftsure works in conjunction with your existing strong internal controls to maximise your payments security.
To learn more about Eftsure and how we can help your organisation stay protected, contact us today.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Fraud is usually associated with deception, manipulation, and crime, but what many people don’t realize is that not all scams are illegal. …
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
