Accounts Payable Security Report: June 2023

Each month, the team at Eftsure monitors the headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.

Scam tactic: the BEC double-up

As the end of the financial year approaches, Eftsure has detected a nearly four-fold increase in scam attempts. In each of these attempts, significant financial losses were at stake. In our discussion with Peter Price, CEO of Crime Stoppers NSW, we explored the reasons behind this surge in fraud attempts, along with the economics of organised cyber-crime.

But beware. We’re seeing increasingly clever tactics from scammers. One especially concerning instance included a double-up in business email compromise (BEC) attacks, where a malicious actor compromised email inboxes within both the target organisation and their supplier. Whereas many BECs only compromise one individual’s email and weaponise it against unsuspecting recipients, this attack saw the same malicious actor issuing a fraudulent invoice and approving it from within the target organisation.

Without Eftsure, it’s likely that the fraudulent payment would have been successfully processed. And we don’t yet know whether the growing volume and sophistication of scam attempts are unique to this EOFY period – it may be the new normal.

Scam tactic: forged verification documents

Scammers don’t need to compromise two different organisations’ systems to levy a clever attack against your company. In another fraud attempt thwarted by Eftsure, we saw the fraudster use forged bank statements and letterheads. These were convincing documents that, without additional technical and specialist controls, likely would have been enough for the target organisation to go forward with payment processing.

The important thing to remember is that cyber-criminals are often part of highly organised syndicates that boast a bevvy of white-collar expertise and understanding. Along with new tools like generative AI, it’s getting easier and faster to create persuasive corporate documentation. In other words, simply looking out for unusual emails and asking for additional evidence is no longer enough to protect your organisation from payment fraud.

Coles exec admits stealing $1.9M

External threats continue to pile up, but organisations can’t afford to ignore the possibility of insider incidents either. This fact was on stark display when a former Coles executive copped to defrauding the company of a staggering $1.9M.

As a finance executive, the employee was able to authorise payments up to $75,000, although he sometimes authorised payments as large as $400,000 by forging approval emails from a supervisor. The case’s judge called the exec’s actions “brazen” and “incredibly stupid,” but we can’t help but wonder whether the culprit would’ve gotten away with it if he had been even a little bit more discrete – the payments had gone unnoticed since 2019.

MOVEit data breach hits Medibank

The MOVEit cyber attack continues to impact organisations around the world, including ones in Australia – specifically, Medibank. After its own data breach last year, this incident does not appear to involve Medibank’s systems and the scope of exposure is still unclear.

Cyber-criminals have exploited an unidentified (“zero-day”) vulnerability in the MOVEit file-transfer software, a product sold by Progress Software to thousands of customers in the US and beyond. Only a few days after major US government agencies were impacted by the attack, staff details were compromised through Medibank Private’s building manager. This encompasses employee names, phone numbers and work email addresses.

SmartPay ransomware attack

Eftpos provider SmartPay announced that some of its customer data has been exposed in a recent cyber-attack. We don’t yet know exactly what type of data was breached, the company says it became aware of impacted systems in New Zealand around 10 June.

So far, it appears that some customers from both New Zealand and Australia are impacted. In its ASX announcement, SmartPay stressed that it doesn’t store “individual cardholder information” – however, as we’ve explored in discussions around data breaches, scammers don’t need the most sensitive financial information possible to successfully defraud your AP team.

Even getting small pieces of personal information can help them build a profile that sharpens social engineering targeting and other fraud tactics.