Accounts Payable Security Report: December 2022

Each month, the team at Eftsure monitors the headlines for the latest Accounts Payable news. We bring you all the essential learnings in our Security Report, so your Accounts Payable team can stay secure.

BEC Attackers via SMS

Business Email Compromise, as the name suggests, involves scammers gaining unauthorised access to email accounts in order to send fake payment instructions to Accounts Payable (AP) staff.

But as we know, cyber-criminals are always adapting. The latest tactic sees the scammers using SMS as a way to defraud organisations.

Security researches are seeing BEC attacks beginning with an email in which the scammer asks for the victim’s phone number. The email is typically written in a way that establishes trust with the AP staffer. The email message may also convey a sense of urgency to prompt the victim to act quickly. The scammer often says they’re in a meeting or on a conference call and can’t accept phone calls.

Once the victim has responded to the email with their mobile phone number, the cyber-criminal then segues to SMS as the primary form of communication. This makes it harder for the AP officer to scrutinise any potentially suspicious signs, such as the “From” email address.

SMS messages usually centre around a financial transaction. In one popular type of fraud, the recipient is asked to buy a gift card with the promise that they’ll be reimbursed. If this ploy succeeds, the attacker tells the victim to send them the gift card codes through a picture of the scratched-off card.

It’s vital that AP staff understand that it isn’t just email that may represent a threat. SMS messages can be just as malicious. Have controls in place, such as compulsory call-backs, prior to any funds being spent.

Fake Invoices Bypass O365 Security

Security researchers are seeing attacks in which fake invoices are being sent to AP departments, supposedly from known and trusted suppliers, that bypass Microsoft Office 365 email security systems.

Attackers gain knowledge about an organisation’s suppliers through publicly available information, in addition to compromising trusted vendor or supply chain partner accounts.

They then create a fake email that looks like it’s being sent by the supplier. The body of this malicious email usually includes the logo of the trusted vendor being impersonated. The subject line in the malicious emails read: “Please find invoice attached.” Even the “From” email address contains an invoice number, in order to increase the chances of deceiving AP staff.

Worryingly, this tactic was able to circumvent O365 email security systems.

While the goal of these attackers was to trick AP staff into opening the fake invoice so malware would execute on the victim’s computer, this tactic could equally be used to deceive the AP staffer into processing a fake payment to the criminals.

This is an important reminder that email security systems are not foolproof. They can be circumvented by sophisticated cyber-criminals. You need multiple layers of defence in place to prevent becoming a victim of cyber-crime.

Tassie Police Recover $73k

In a rare piece of good news, Tasmania Police were able to recover $73,371 that had been stolen in a BEC attack.

In November 2022, a Tasmanian business received and paid a $73k invoice.

But what the business didn’t realise was that the details in the email were intercepted and changed by the cyber-criminals. The business sent the payment to an incorrect account. It’s believed that the incorrect bank account actually belonged to a money mule.

Luckily, this business identified the theft quickly and reported it to Tasmania Police. They then worked with the victim’s financial institution and the Australian Federal Police to freeze the payment and recover the funds. However, there’s a very limited window during which it may be possible to recover the funds. Banks usually process payments within one business day.

Once the funds have been processed, recovery becomes almost impossible. That’s why preventing BEC is essential.

Detective Sergeant Paul Turner from Tasmania Police’s Serious Financial Crime team said BEC scams like these were an increasing and persistent threat worldwide.

BEC Incident Response Guide for Finance Teams

Learn how to respond to a Business Email Compromise attack by following the necessary steps.

Download the Business Email Compromise (BEC) Incident Response Guide today to strengthen the odds of recovering your funds following a BEC attack.

Download Guide