Accounts Payable Security Report: January 2023

Each month, the team at Eftsure monitors the headlines for the latest Accounts Payable news. We bring you all the essential learnings in our Security Report, so your Accounts Payable team can stay secure.

Aussie Farmers Targeted with Fake Invoices

In recent months, businesses have been losing massive amounts of money due to email scams – often hundreds of thousands of dollars, according to Sarah Gee from Curium Legal.

While many business owners assume their cyber insurance will cover the losses, often that’s not the case. All too often, gaps in cyber insurance policies mean that losses due to manipulated invoices aren’t covered.

Many insurance providers don’t consider such losses to be the result of a cyber-attack, even though breaching an email account is usually involved. Instead, they place the onus on the organisation that paid the funds into the fraudulent bank account, since proper verification procedures weren’t followed prior to transferring the funds.

In the latest twist, fraudsters seem to be deliberately targeting Australian farmers with invoice scams. When Victorian farmer Rebecca Hamilton received an invoice for $24,000 from a regular supplier, she was surprised to see that the bank account details were different.

Thankfully, Hamilton had the good sense to conduct a call-back to verify whether the supplier had indeed changed their bank account details. They denied they had made any changes. Hamilton immediately realised that the invoice had been tampered and stopped payment.

With cyber insurance providers unlikely to cover such losses, organisations increasingly need to ensure they always conduct call-backs any time a supplier requests to change their bank account details via email.

Learn how to conduct call-back controls correctly.

$3.3 Million Allegedly Defrauded by Malicious Insider

Malicious insiders know your organisation’s internal controls – and how to circumvent them. This makes fraud by trusted insiders notoriously difficult to prevent.

Creative Promotions, a Sydney-based firm specialising in branded corporate merchandise, is alleging that one of its former employees submitted fake and inflated invoices on behalf of China-based manufacturers. The company alleges that the scam was perpetrated over many years, netting the former employee over $3.3 million.

Fake invoices would be submitted to Creative Promotions, who would pay them into a Bank of China account that was in the name of an individual – and individual who wasn’t listed as one of the firm’s suppliers. Ostensibly, these funds would then be transferred to a bank account in Australia in the name of the wife of the former employee.

Further, inflated invoices would be submitted on behalf of genuine China-based suppliers. The former employee would then advise the supplier that they were erroneously overpaid, and the difference should be transferred back to the Australian bank account in his wife’s name.

Based on the information currently available about this case, it appears Creative Promotions might not have had enough robust controls throughout its procure-to-pay process.

All organisations should implement three-way matching for invoices before any payment is processed. Every invoice should be checked against the purchase order and the receiving report. This helps ensure an invoice is both legitimate and accurate. It will help you identify any potential manipulation of an invoice, including inflated, duplicate and fake invoices.

Learn how to secure your entire Procure-to-Pay process.

Watch Out for Phone Number Spoofing

On 3 December last year, a West Australian teenager received an alarming text message that an unknown individual was attempting to transfer funds out of her NAB account.

The text message seemed authentic – it appeared to have been sent from the same phone number NAB had previously used when contacting the teenager in the past.

The message appeared in the same thread as the previous SMS messages from NAB. The message urged the teenager to immediately phone the bank on a toll-free number to stop the unauthorised transfer. The unsuspecting teenager complied with the directive in the SMS message.

Following a conversation with someone she thought was a bank representative, the teenager transferred all her funds into a new bank account – all to safeguard the money from the unknown individual trying to rob her.

The fake bank representative, who spoke with an English accent, provided a BSB and account number. The teenager immediately transferred all her funds across to this new account. Only after the phone call with the fake bank representative ended, did the teenager think to check the BSB – leading her to discover that she had transferred all her savings into a Commonwealth Bank account.

The teenager had been scammed out of all her life savings: $36,561.37.

Neither NAB, nor Commonwealth Bank, have been able to recover the stolen funds.

The teenager was a victim of a technique known as spoofing. Increasingly, cyber-criminals resort to spoofing in order to appear legitimate and deceive their targets. Phone number spoofing sees the scammers hide their phone number behind the phone number of a legitimate organisation. This fools people into thinking they are communicating with a trusted entity.

It’s vital that all Accounts Payable (AP) staff understand the risks associated with inbound communications, whether by email, SMS or phone calls. Cyber-criminals are increasingly adept at hiding their true identity. As a default, they shouldn’t trust inbound communications.

Before acting on any information received via inbound communications, your AP staff should always look up an entity’s legitimate phone number by visiting their official website. Then call the entity and confirm whether the information sent to your organisation is legitimate or not.