Accounts Payable Security Report: August 2023

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.

A rise in internal fraud?

Among Eftsure’s customer base, we’ve noticed an internal fraud spike – specifically, among supplier organisations. In fact, out of all the fraud attempts we’ve detected this year, one in five were facilitated by an inside actor. This tracks with broader patterns, including a 44% increase in the frequency of reported incidents throughout 2022.

Trusted insider attacks can be devastating and are more likely to go undetected, especially if the malicious actor is diverting smaller amounts over a longer period of time. We saw this with the recent Coles case, in which an executive managed to fraudulently divert $1.9m from the organisation despite an “unusually unsophisticated” approach.

It’s uncomfortable to think that a trusted employee or contractor could perpetuate fraud against your company, but the right policies and procedures ensure that everyone has to follow steps that mitigate fraud risks.

Deepfake scam targets Facebook users

Deepfakes, an application of generative AI, are becoming increasingly difficult to detect. These hyperrealistic, manipulated images and videos are now easier to produce with the proliferation of AI tools. Sometimes they’re used for more or less benevolent reasons, like an AI-generated version of Keanu Reeves performing popular TikTok memes. But they’re increasingly used for malicious purposes.

In other words, scammers have a potent new weapon in their arsenal. That was clearer than ever when a video of UK’s consumer finance advocate, Martin Lewis, started making the rounds on social media. In it, “Martin” promoted an investment scheme endorsed by Elon Musk.

However, the video is a scam. The deepfake video, falsely portraying Lewis, has prompted the real Martin Lewis to warn the public about deepfake risks and call for greater government intervention. While this scam targeted consumers broadly via social media, AI is making it easier to customise scam attempts at scale. So what happens when it only takes a few clicks to realistically impersonate your trusted business contacts on a video chat?

MOVEit breach impacts 600 organisations worldwide

We’ve tracked the MOVEit breach in past reports, but the total fallout continues to unfold. According to a Reuters-confirmed analysis, the hack attack on Progress Software’s MOVEit file transfer program has affected over 600 organisations globally and impacted nearly 40 million people.

The cyber-crime group behind this massive breach has been proactively publicising the stolen data, as well as sharing some of the data on peer-to-peer networks. And this data was stolen from a vast range of organisations that use the compromised software, including the exposure of pension details for 15,000 clients.

As always, the proliferation of this type of data can make it easier to impersonate contacts or commit identity theft, a major threat to AP and finance teams. But it’s also a reminder of how intertwined our digital defences really are. A single software vulnerability can expose thousands of organisations and millions of individuals – something to keep in mind when considering your own organisation’s anti-fraud and security strategies.

Learning from the Microsoft Teams phishing attempts

Microsoft claims that Russia-linked hackers have been driving a phishing campaign targeting Microsoft Teams users, attempting to steal user credentials.

The attacks involve malicious actors posing as technical support, engaging users in Teams chats and trying to persuade them to approve multi-factor authentication (MFA) prompts, Microsoft researchers reported. Although affecting fewer than 40 organisations since late May, the attacks are considered “highly targeted.”

The group is using a fast-evolving strategy, including exploiting compromised Microsoft 365 accounts from small businesses to create fake domains mimicking technical support and integrating the term “microsoft.” From these domains, phishing messages were dispatched via Teams. Microsoft has since acted to block these domains and is investigating the breach’s extent.

The takeaway? MFA is a pillar of security hygiene, but no single security measure is enough to protect your organisation. Threat actors are always looking for ways to evade security controls, which is why we’ve seen an increase in strategies that involve compromising both a target organisation and their supplier organisation to bypass financial control procedures (like we described in our previous security report).

Instead, finance leaders should look for multiple layers of security, a multi-faceted strategy that establishes a variety of fail-safes throughout your financial processes.

ACCC to facilitate cross-bank collaboration on scam prevention

The Australian Australian Competition and Consumer Commission (ACCC) has granted the Australian Banking Association (ABA) and its member banks permission to collaborate on establishing an industry standard for combatting financial scams.

This conditional interim authorisation permits these institutions to discuss and develop measures that aim to detect, prevent and disrupt scams affecting Australian citizens. However, for the implementation of any resulting standards, further approval is required. Catriona Lowe, ACCC’s deputy chair, emphasised the importance of a combined effort from the government, law enforcement, and the private sector in countering increasingly sophisticated scams. The ACCC also acknowledged the federal government’s plans to introduce a cross-industry code encompassing banks, telcos and social media platforms, among others.