Each month, the team at Eftsure monitors the headlines for the latest Accounts Payable security news. We bring you all the essential learnings, so your Accounts Payable team can stay secure.
Cyber Insurance – Back in the Headlines
As the costs of cybercrime increase exponentially, and more organizations find themselves targeted, many are turning to cyber insurance to help limit the financial damage. It is estimated that between 15 to 20 percent of small businesses are now covered by cyber insurance, and up to 70 percent of larger ASX-listed firms.
However, cyber insurers often struggle to accurately price cyber risk, given they lack long-term data. In Australia, cyber insurance premiums have gone up between 50 and 150 percent over the past 12 months, after the proliferation in ransomware attacks caused losses to multiply.
To limit their liability, many insurers have introduced limits on payouts and created eligibility criteria to ensure policyholders have basic defenses in place, such as multi-factor authentication, data backups, and staff training.
In fact, many organizations take up cyber insurance without having a full understanding of what it actually covers, until a cyberattack occurs.
In many cases, cyber insurance will cover losses from Business Email Compromise (BEC), however, it will often be limited to the losses incurred by the actual policyholder, rather than their customers or counterparties.
So, for example, if a vendor’s email system is compromised which results in a false invoice being sent to one of their customers, and the customer loses funds by paying the false invoice, the vendor’s cyber insurance may not cover the losses incurred by the customer.
Businesses must be vigilant about reading the fine print within their cyber insurance policies to understand what isn’t covered fully, particularly in scenarios where liability may not be clear.
With so much uncertainty around cyber risk, all organizations must prioritize prevention as the most effective way to limit substantial financial and reputational harm.
Internal Invoice Fraud
Processing invoices for goods your organization has purchased is relatively straightforward. After all, it is possible to physically examine that the procured goods have been delivered prior to making a payment.
However, when it comes to paying for services, things can get trickier. It is much more difficult to verify that services have in fact been rendered, opening opportunities for malicious insiders to submit false invoices.
A California hospital has initiated legal action against a former maintenance worker for submitting false invoices for a range of services. Palmdale Regional Medical Centre is accusing former employee, Scott Finstein, of fraud and breach of duty of loyalty, among other charges.
From 2008 to 2019, Finstein was director of plant operations at Palmdale. His responsibilities included coordinating and overseeing construction and maintenance work performed by outside contractors. It is alleged that he engaged in a scheme in which he approved invoices for payments exceeding $660,000 to vendors who hadn’t performed the services listed in the invoices.
This case serves as a reminder of having robust controls in place when it comes to processing invoices for services rendered.
Read more about securely processing invoices for services rendered.
BEC Leads to Data Breach
Business Email Compromise (BEC) is one of the main tactics used by cybercriminals to steal funds. It is also emerging that attackers are using BEC as a vehicle to compromise an organization’s critical data.
Monongalia Health System Inc. is a company that runs three hospitals in the United States. It was recently struck by a BEC attack in which unauthorized individuals gained access to a contractor’s email account and sent emails from the account to obtain funds through fraudulent wire transfers.
In addition to the payment redirection, the attackers were able to breach personally identifiable information in emails. Details stolen included health plan information and claims, addresses, dates of birth, patient account numbers, medical record numbers, dates of service, provider names, claims information, and other medical information.
With health data among the most valuable on the dark web, it’s not surprising that cybercriminals are motivated to steal such information in addition to launching payment redirection scams.
This incident is another reminder that finance executives need to be coordinating closely with their organization’s cybersecurity and IT teams. Working together to strengthen email security controls is essential to reduce the risk of a BEC attack which can result in both substantial financial losses, as well as critical data breaches.
Sydney Woman Charged Over Role in $1m BEC Scam
Catching the perpetrators of Business Email Compromise (BEC) scams can be notoriously difficult. All too often the proceeds of such crimes pass through the bank accounts of multiple money mules, before being converted into cryptocurrencies or transferred offshore.
In a rare piece of good news, NSW Police believe they have identified one Sydney woman who participated in a $1 million BEC scam.
Last year, an ACT woman allegedly deposited more than $1 million into a fraudulent bank account when settling on a property she had purchased. Following Cybercrime Squad investigations, it was revealed that the payment details had been sourced from an email that had been sent from a compromised email account belonging to the woman’s lawyer.
Cybercrime Squad Commander, Detective Superintendent Matthew Craft, said people must remain vigilant when conducting transactions online.
“Get in the habit of checking the email address, URL, and spelling used in all correspondence and heavily scrutinize all transactions that you make online,” Det Supt Craft said.
“BEC scams aren’t easy to detect because the invoices for clients and contractors often use the desired recipient's branding but contain altered banking details.
“To avoid being scammed, people should use two-step verification methods where appropriate, and regularly update and maintain strong passwords,” Det Supt Craft said.
Essential Procure-to-Pay Checklist for AP Teams
Secure your Accounts Payable process with our 8-step Checklist.
Following these 8 steps throughout the Procure-to-Pay lifecycle will help protect your organization from falling victim to invoice fraud, as well as erroneous payments.
