Accounts Payable Security Report May 2023

Each month, the team at Eftsure monitors headlines for the latest accounts payable (AP) news. We bring you all the essential stories in our Security Report so your team can stay secure.

Beware the “VIP invoice authentication” tactic

A payment fraud tactic is gaining steam among scammers. Rather than just hijacking existing email threads, fraudsters are creating new ones that look and sound like they’re from the recipient’s bosses. 

The tactic starts with a finance or AP employee receiving an emailed payment request and an invoice from a trusted supplier – crucially, a senior executive from the employee’s organisation will be CC’d on the email. Then the exec responds within the chain and asks the employee to prioritise the payment. But a closer look at the email addresses reveals that the entire “conversation” has been fabricated and the accounts are fake. 

It’s not a new strategy. For years, fraudsters have been using all kinds of social engineering and business email compromise (BEC) tactics to trick staff into making fraudulent payments. But this particular approach appears to be gaining in popularity, and the appearance of a senior executive jumping in can lure some people into skipping their usual verification steps. Make sure your team is aware of the tactic and that they follow necessary checks before processing payment requests. 

ACCC report: companies lost $224m to BECs in 2022

In its latest Targeting Scams report, the Australian Competition and Consumer Commission found that Australians lost a staggering $3.1 billion to scams in 2022, an 80% increase compared to 2021.

And the scam that impacted businesses the most? Payment redirection scams, also known as business email compromise (BEC). The ACCC says that the amount of money lost to these scams increased by 73% since the previous year, but it also estimates that only 13% of victims report to Scamwatch. Across reporting from Scamwatch, ReportCyber and the AFCX, combined losses from BEC totaled $224 million.

However, the report also estimated that 30% of victims don’t report scams at all, so it’s unclear just how vast (and costly) the problem might be.

HWL Ebsworth faces random demands

ALPHV ransomware group is demanding payment after it claims to have stolen a four-terabyte dataset from Australian law firm HWL Ebsworth. This includes a wide range of internal and employee data, such as financial reports, accounting data, loans data and insurance agreements.

Crucially, it also includes client data, including credit card information and financial data. To further pressure the firm into paying the ransom, the Russia-linked hacker group is likely to drip-feed data onto the dark web, similar to what happened during Medibank’s breach. 

The AFR is reporting that a forensic report connects the breach to an employee’s personal device – a stark reminder that human error still outweighs almost every other cyber risk.