Accounts Payable Security Report: July 2023

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.

Dissecting a $55k BEC attack

Watch out for business email compromise (BEC) attacks that intercept legitimate supplier payment invoices. Eftsure recently blocked an attack in which the malicious actor compromised a supplier’s inbox and then waited for them to send a legitimate invoice for $55,000 to the target organisation.

At this point, the fraudster began impersonating the supplier, telling the target organisation that the previous invoice was wrong and to pay into a new account because the other account was being audited. While Eftsure was able to detect the scam attempt and stop the target organisation from paying into the fraudulent account, it’s another example of a seemingly legitimate conversation being stealthily hijacked by a malicious actor.

Unfortunately, it’s no longer sufficient to just keep an eye out for dodgy, typo-riddled messages or fake email addresses. Teams can no longer assume that emails or phone calls are legitimate, even when they’re coming from a trusted contact. Instead, leaders will need to fortify controls and find scalable ways to get multiple pieces of verification.

Data revealed in Perpetual cyber-incident

Last month, fund manager Perpetual Limited revealed that a security incident involving a third-party provider had disrupted customer-facing services throughout June. The AFR first reported the outage, revealing that about 45,000 clients were impacted. In a later statement, Perpetual said an incident involving “unauthorised access” had affected its registry provider’s system.

Now, the organisation says that, despite most client data remaining encrypted, certain personal information was accessed. The breached data comprises two separate files – one containing names and addresses, and another with anonymous bank account details. Perpetual has responded by temporarily taking some of its core systems offline as a preventative measure.

AP teams should take notice any time personal information is breached, especially data that might relate to finances or banking. As we’ve explored in previous webinars, the more data traded on the dark web, the more easily scammers can forge evidence to dupe your employees and move ill-gotten funds across multiple accounts.

Accountant charged in $26m fraud

Sometimes leaders discount the possibility of insider threats, ignoring that many organised crime syndicates specifically target white-collar professionals to help facilitate crime. A recent case might be another example of this.

A NSW accountant has been charged following an investigation into a large-scale tax fraud and proceeds of crime offences, totaling $26 million. The probe led to the arrest of a 36-year-old man and a 25-year-old woman. Police also allege the man had connections with organised criminal networks.

The man faces 16 charges, including 14 counts of dishonestly obtaining a financial advantage by deception, knowingly dealing with proceeds of crime, and drug possession. He has been denied bail and is set to appear in Penrith Local Court. The police allege that the man defrauded clients to fund a lavish lifestyle and that the woman tried to hide the misconduct.

New Anti-Scam Centre tackles investment scams

As we’ve reported previously, the Federal Government has established a new National Anti-Scam Centre. Designed to combat scams and online fraud, the centre is launching a ‘fusion cell’ taskforce to reduce financial losses due to investment scams, which reportedly amount to $1 billion annually.

Spearheaded by the Australia Competition and Consumer Commission (ACCC) and the Australian Securities and Investments Commission (ASIC), the task force includes representatives from banks, telecoms and digital platforms. The team has been given six months to devise immediate actions to address the issue.

This initiative is part of an $86.5 million package introduced in the May federal budget, which allocated $58 million for the establishment of the National Anti-Scam Centre and the creation of ‘fusion cells’ to tackle specific scams.

Ventia cyber-incident under investigation

Ventia, which specialises in the long-term operation, maintenance, and management of critical public and private assets and infrastructure, experienced a weekend cybersecurity incident and took several key systems offline. Now, the company says it has re-enabled some key internal systems, while additional external-facing networks are being progressively restored as part of their assurance process.

Currently, investigations are underway to determine if the cyber attack resulted in any leakage of sensitive data. Ventia has long-term services agreements with organisations like NBN Co and major toll road operators, including a $229 million contract with the Western Australian government.